Fresh SamSam Ransomware Campaign Across the U.S

Fresh attacks of the SamSam ransomware have been reported from across the U.S; the ransomware seems to be unleashing attacks at new targets across the country.

ZDNet reports, “SamSam ransomware is still plaguing organisations across the US, with fresh attacks against 67 new targets – including at least one involved with administering the upcoming midterm elections.”

The SamSam ransomware, like any other ransomware, encrypts all files and data in a network it infects, and at the same time, it targets backups too and ensures that the victims are rendered totally helpless, with no other option but to pay the ransom and get things decrypted. And it’s paying off as well. The ZDNet report states, “These tactics are working, as the group behind SamSam are thought to have made over $6m from ransom payments, often demanding over $50,000 in bitcoin for restoring systems.”

While most ransomware attacks are executed via phishing emails, the SamSam campaigns are carried out in a different manner. They begin with remote desktop protocol (RDP) compromise, which is carried out either with the help of brute force attacks or by making use of stolen credentials. The threat actors behind the SamSam campaigns make sure that the victims suffer maximum damage; they’d trigger the infection only after exploiting vulnerabilities and stealing credentials so that they can spread their tentacles across as much of a targeted network as possible.

The SamSam ransomware campaign, like some other major ransomware campaigns, uses Eternal Blue, the leaked NSA exploit.

In his report, Danny Palmer, senior reporter at ZDNet, notes that the SamSam ransomware had struck high profile targets, including the City of Atlanta. Atlanta was forced to go offline following the attack, but however, the city didn’t yield to the ransom demands. Danny Palmer further writes, “SamSam is still proving to a successful operation for those behind the campaigns, with researchers at Symantec noting that the group still remains heavily active, with fresh attacks against dozens of targets – most of which are in the US.”

The ZDNet report states that though SamSam has hit different sectors, it’s the healthcare industry that’s affected the most, as per figures shown by Symantec. A quarter of all SamSam incidents target hospitals and other healthcare organizations.

The researchers probing the fresh SamSam attacks have also mentioned that among the organizations that have been targeted, there is one (which has been left unnamed) that would be playing a key role in administrating elections. This information, however, is of critical importance taking into consideration the fact that the midterm elections are all set to happen in a week’s time. But, in all probability, the intention of the SamSam threat actors wouldn’t be to impact the elections directly; they’d just have gone after networks and organizations that they found vulnerable and the above-mentioned agency just happened to be one such vulnerable organization.

The ZDNet report explains some traits of the SamSam ransomware- “The attackers often use ‘living off the land’ tactics to help them move across the network, using operational system features and legitimate administration tools to help compromise victims…It’s also known for the attackers to drop two different forms of SamSam onto networks so that in the event of one being defended against, there’s the opportunity for the second variant to be successful.”

The report further says, “This stealthy approach to attacks, combined with specially selecting targets has enabled SamSam to prosper as one of the most successful – and damaging – forms of ransomware threats to organisations throughout 2018.”

In addition to targets across the U.S, the SamSam ransomware has also impacted organizations in France, Australia, Ireland, Portugal and Israel.
Organizations, however, can equip themselves to combat SamSam ransomware attacks by adopting some effective measures, including restricting access to public-facing ports, adopting two-factor authentication, creating offline and offsite backups etc.