SamSam Attackers Have Hit 67 Ransomware Targets

Researchers have warned that the SamSam ransomware strain continues to be a major threat to organizations, with 67 targets on the receiving end of attacks this year, according to Symantec.

The security giant claimed that most targets in 2018 have been located in the US, with healthcare accounting for the largest number of attacks, around 24%.

“Why healthcare was a particular focus remains unknown,” it explained. “The attackers may believe that healthcare organizations are easier to infect. Or they may believe that these organizations are more likely to pay the ransom.”

At least one US government organization involved in administering elections was also hit, which is concerning news ahead of the mid-terms next week.

A small number of remaining attacks targeted organizations in Portugal, France, Australia, Ireland and Israel.

A Symantec spokesperson confirmed to Infosecurity that it was not possible to determine how many of the listed attacks were successful, as in some cases "we saw less than a handful of computers infected with SamSam tools, which could suggest failed attacks."

However, SamSam is known to be particularly dangerous as it is typically manually operated, rather than being used in fire-and-forget automated campaigns.

This means those behind it go to greater lengths to hide its activity, encrypting as many machines possible on a network before demanding the ransom.

Its highly targeted nature means attackers often first obtain account credentials on the dark web to access an organization’s remote desktop protocols, and then use tools to elevate privileges and gain domain access rights.

They’ve also been observed using legitimate Windows tools like PsExec and PSInfo to “live off the land” and hide from AV tools, as well as publicly available hacking tools like mimikatz to steal passwords to spread to other servers.

“These tactics are frequently used by espionage groups in order to maintain a low profile on the target’s network. By making their activity appear like legitimate processes, they hope to hide in plain sight,” explained Symantec.

“For example, in one attack that took place in February 2018, more than 48 hours passed between the first evidence of intrusion and the eventual encryption of hundreds of computers in the targeted organization.”

SamSam was responsible for a major attack on the City of Atlanta earlier this year, which is slated to cost $10m to clean up, plus a Colorado Department of Transport outage which also ran into the millions.

What’s Hot on Infosecurity Magazine?