SamSam ransomware has been used in many attacks on healthcare providers and educational institutions over the past two and a half years. In contrast to many other ransomware variants, the ransom payments are considerably higher, typically of the order of tens of thousands of dollars.
What also makes SamSam ransomware different is its method of deployment. While many ransomware variants are installed as a result of employees opening infected email attachments, SamSam ransomware is installed manually once access to a network has been gained.
Access is typically gained through brute force RDP attacks, the exploitation of vulnerabilities, or the use of stolen credentials. While data theft is possible since network access is gained, the attacker only seems to be interested in encrypting files on as many computers as possible.
SamSam ransomware was used in the attacks on the electronic health record provider AllScripts, Adams Memorial Hospital, Allied Physicians of Michiana, Cass Regional Medical Center, LabCorp, and Hancock Health. SamSam was also used in the ransomware attack on the City of Atlanta. 26% of all SamSam ransomware attacks have affected healthcare companies with more than three quarters of victims based in the United States.
In the 32 months since the ransomware was first released, the developer has allegedly earned almost $6 million in ransom payments according to cybersecurity firm Sophos, which has been tracking Bitcoin ransom payments with the help of the tracking firm Neutrino. According to Sophos, 223 victims have paid the ransom to obtain the keys to unlock encrypted data. Previous estimates of the amount earned from SamSam ransomware infections were around $1 million. There have been far more victims paying than was initially thought. Many of the attacks have not been declared publicly.
It was previously thought that the healthcare industry, government, and education sectors were targeted, with the private sector escaping relatively unscathed but that appears not to be the case. According to Sophos, ““Based on the much larger number of victims now known, it seems that far from being unaffected, the private sector has actually borne the brunt of SamSam.”
Sophos believes one individual is behind the ransomware and all the attacks. That individual is clearly skilled and committed. Attacks have occurred at a rate of around one per day and they usually occur in the middle of the night when the chance of an attack being detected before file encryption takes place is much lower.
In contrast to WannaCry, the attacker manually moves laterally and installs the malware using standard tools such as PsExec or PaExec. Only when the malware has been installed on all vulnerable devices is the encryption process triggered.
While the FBI does not recommend paying ransom payments, it is understandable why the payments are made. If viable backups do not exist, companies have little choice other than paying the ransom. The ransom payment, while high, is typically far lower than the cost of mitigation. Ransom amounts are often around $50,000. By comparison, the SamSam ransomware attack on the City of Atlanta has reportedly cost $19 million to mitigate.
One of the main problems with recovery from a SamSam ransomware attack without paying the ransom is this variant not only encrypts data but also application configuration files. Even if data are recovered, applications fail to work correctly. Recovery not only means restoring files from backups. Machines need to be rebuilt. Sophos recommends that companies develop a plan that will enable them to do this quickly to limit the cost of an attack.
Good password practices and prompt patching are essential. Backups should be made and stored offline and offsite, vulnerability scans should be performed regularly, multi-factor authentication should be implemented, and RDP should be disabled. If RDP is required, connections should only ever be permitted through a VPN.