Skip to content
TitanHQ

SamSam Ransomware Strain Kicks off 2018

Posted by Geraldine Hunt on Mon, Jan 22nd, 2018

Last year was the year that a single ransomware payment hit the $1 million mark.  As the year progressed, we watched cybercriminals shift their focus from single users to targeted attacks on businesses and organizations.  The massive scale of the WannaCry and Petya attacks sent shock waves amongst cybersecurity professionals and company boardrooms.  While both attacks generated large disruptions in business operations that resulted in lost income and in some cases, falling stock prices, the instigators behind the attacks made little to no money to speak of from their efforts.   In many cases, however, the cost of dealing with the destruction and aftermath of ransomware attacks last year was far more expensive than any extortion payment.

According to Cybersecurity Ventures, ransomware damage costs are estimated above $5 billion.  As a whole, ransomware attacks grew at a rate of 250% over the year prior, with one attack being launched every 40 seconds in the third quarter of last year.  On average, businesses paid a total of $1,400 to retrieve the decryption keys from their attackers in order to reclaim their data.  Although not every attack pays off for criminals, plenty do, which is why the ransomware industry keeps growing.

January Attack on Indiana Hospital

It hasn’t taken long for ransomware to capture the headlines in 2018.  Hancock Health, a hospital located in Greenfield, Indiana reported last week that they had been the victim of a ransomware attack that was discovered on January 11.  The malicious malware was identified as the SamSam strain, which leaves its calling card by renaming all infected files to “I’m sorry.”  Unlike most ransomware variants, which utilize social engineering techniques such as phishing and malicious email attachments, SamSam targets unpatched servers by scanning the Internet for open RDP connections.  The attackers then use brute-force tactics on these RDP endpoints in order to seek out critical files. In the case of Hancock Health, a third-party vendor’s administrative account to the hospital’s remote-access portal was compromised. Healthcare organizations are a popular target for the SamSam strain. 

The perpetrators behind the attack, who are believed to operate in Eastern Europe, demanded a ransom of four bitcoins, worth about $55,000 at the time of the attack.  While doctors utilized pen and paper to perform their duties, hospital administrators considered their options. Although the attack was random in nature, it came at a bad time for the hospital.  “We were in a very precarious situation at the time of the attack,” said Hancock Health CEO Steve Long. “With the ice and snow storm at hand, coupled with one of the worst flu seasons in memory, we wanted to recover our systems in the quickest way possible and avoid extending the burden toward other hospitals of diverting patients.”  Thus, in the end, despite having the ability to recover all of their data from backups, they chose to pay the ransom 48 hours after the attack as the cost of recovery exceeded the demands of the attackers.  Upon payment, the key was released and all operations were fully functional again by Monday morning.

Should You Pay and Play When Ransomware Hits?

The IT community, in general, is against paying.  In a survey of the Spiceworks community, an online network of IT professionals, there was near unanimity against paying the ransom. This opinion was held even by members whose networks had been infected. These victims reported that most data was recoverable from backups, although they experienced data loss due to unmonitored and failed backups as well as the loss of between 1-24 hours of data from their last backup cycle. We are assuming that the organization has a choice of paying the ransom or not. But if it has no unaffected backups, there is no choice but to pay the ransom.

Others Companies Involved in SamSam Attacks

Hancock Health was not the only victim of SamSam this month.  Attacks were also reported involving another hospital in Indiana, a city municipality in New Mexico and the well-known electronic health record systems company, Allscripts. Rob Mayes, the City Manager of the town of Farmington that was hit by the attack said that the FBI advised them not to pay the ransom of $35,000.  Thanks to their effective data continuity plan, the city was able to recover all data and return to normal operations.  Allscripts reported they did not pay the required ransom. The bitcoin attack that was used in the Hancock Health payout has received an inflow of 26 bitcoins since December 25 of last year. That translates to a value of nearly $300,000.   If January is any indicator of the rest of the year, 2018 could prove to be yet another record year for ransomware.

There is much that can be done to mitigate the damage that a ransomware attack can create, and even prevent one. Here are a few tips that will help you keep ransomware from wrecking your network and locking up your data : 

  • Use the best spam filtering you can get to protect users from phishing embedded links and attachments that are embedded with malicious code
  • Implement layers of content filtering to prevent users and automated sessions with websites that serve as download hub mechanisms
  • Reputable anti-virus and anti-malware protection on endpoint devices
  • Use of 3-2-1 back up approach,
  • Gateway antivirus which scans all active internet sessions and strips packets of malware-infected code
  • Disabling the remote desktop protocol on any computers that are directly exposed to the Internet
  • Disabling files running from within the AppData or LocalAppData folders
  • Conducting user training in order to educate users to become more cynical, defensive and proactive
  • Protecting privileged credentials at endpoints

Ransomware has proven to be a viable business model for cybercriminals. Their model is changing beyond malicious spam to more closely targeted attacks. Are you an IT professional that wants to ensure sensitive data and devices are protected?  Talk to a specialist or email us at info@titanhq.com with any questions.

Related Articles

Never Miss a Blog Post

Sign-up for email updates...

Get Your 14 Day Free Trial
TitanHQ

Talk to Our Email and DNS Security Team

Call us on US +1 813 304 2544

Contact Us