Ten SamSam ransomware attacks occurred since December 2017. Most of the attacks were on government and healthcare companies in America. There were also attacks documented in India and Canada. One attack took place in January 2018 on AllScripts. Because the system of this EHR company was down for a number of days, 1,500 medical practices could not gain access to patient files. A few of the medical practices weren’t able to access patient data for 7 days.
Another SamSam ransomware attack happened in Atlanta City in March 2018. To prevent the propagation of the ransomware, Atlanta needed to power down its IT systems. The threat actor took advantage of a Windows Server Message Block VI vulnerability on a public-facing server enabling ransomware installation. The WannaCry and NotPetya attacks in May and June 2017 took advantage of a similar weakness.
Hancock Health was 1 of 2 Indiana hospitals that encountered a SamSam ransomware attack. Hancock Health decided to pay the ransom rather than restore the files via backups. It is to prevent interruption to its patient services. Two distinct SamSam ransomware attacks occurred in the Colorado Department of Transportation. One attack happened in February and the other in March.
Erie County Medical Center also had a ransomware attack as a result of an unpatched vulnerability. The center decided not to pay money for ransom but suffered from six weeks of waiting before their systems became functional. Erie Country ended up spending a few million dollars to fix its system.
It would appear that ransomware attackers aim for the government, medical care and education industries, however the attacks on HHS and Cisco Talos demonstrate its opportunistic character. Due to the interruption of services and the cost of minimizing attacks, a number of healthcare providers prefer to pay ransom.
The threat actors responsible for the SamSam ransomware make use of different attack strategies. However the group is well-known to attack by way of the public-facing servers vulnerabilities and the weak Remote Desktop Protocol/Virtual Network Computing (RDP/VNC servers). A few threat actors take advantage of open RDP connections and execute brute force attacks on networks using weak security passwords.
Immediately after getting access to a server, ransomware is set up and distributed laterally resulting in considerable disruption. Even though companies have file backups and could restore the system, the interruption to business operations takes quite some time until complete system restoration. As a result, a good number of companies decide to pay ransom and avoid the delay. In one instance, a ransom demand in the City of Atlanta amounted to $6,800 per infected endpoint.