As most of you are aware, on March 22nd, 2018, the city of Atlanta was hit by the dreaded SamSam ransomware. The city’s services had ground to a halt. Residents could not pay for essential services, like water and the city was not able to collect revenue from parking fines. Police efficiency dropped significantly, as reports had to be written by hand. The entire IT infrastructure was paralyzed. The City Attorney’s office lost all, but 6 of its 77 computers and 10 years’ worth of documents, while the police lost their dash cam recordings.
The overall estimated cost was approximately 11 Million USD. Atlanta was certainly not the only victim of this particular ransomware attack. In April 2017, the same attackers infected Erie County Medical Center, a major hospital in Buffalo, New York.
The overall estimated cost of recovery was approximately 10 million. In 2018, the group behind this ransomware developed a new and more improved version on SamSam with greater capabilities. Since then, the group has accelerated its attacks and further confirmed victims, including two Indiana-based hospitals, Hancock Health and Adams Memorial Hospital, Allied Physicians of Michiana, Cass Regional Medical Center, as well as the medical testing company LabCorp and an electronics health records (HER) provider called Allscripts.
Known Facts about SamSam ransomware:
- Over 74% of all the known victims are based in the United States
- Other regions that have been targeted include Canada, the UK and the Middle East
- Total Known amount of ransoms that actually have been paid have exceeded 6 million USD equivalent in Bitcoins
- Medium to large public sector organizations in healthcare, education, and government make up 50% of identified victims; the rest are in a long list of verticals in the private sector.
- The attackers are selective when choosing their targets and spread quietly through traditional network administration tools to avoid detection
- The cybercrime gang known as Gold Lowell has been identified as the threat group that is executing these extortions using this SamSam ransomware.
- Every consecutive attack shows a more sophisticated development then the last
- SamSam’s to be paid ransom is increasing, the threat group is charging more ransom then they used to
Experiences Cyber Centaurs has had with SamSam:
As a provider of cyber security and cyber forensic service, we have naturally encountered both previous and the most recent version of the SamSam ransomware. We have learned that indeed there has been an increase in activity in 2018 and we predict that this will trend upwards in 2019. We have also sufficient amount of these attacks where mandatory disclosure was not required by the victim and, therefore, it appears that the quantity of organizations that have fallen victim to this attack are far greater than reported. Our consulting team has assisted several organizations throughout the state of Florida, which had been the target of the Gold Lowell threat group. Based on this experience, we have assembled 5 tips for CIO’s, IT Directors and Technology leadership executives to consider.
- Vulnerability Assessments / Penetration Testing
Make sure to perform more frequent vulnerability assessments or even better, perform penetration tests. SamSam does not deliver its payload via an email phishing link, but actually someone manually hacks into a vulnerable system. The ransomware file is then deployed from there, making sure that your vulnerabilities are discovered and eradicated early is key. You can’t afford to wait for your annual vulnerability assessment, which may be due in another 10 months or so.
- Disable Remote Desktop Protocol (RDP)
Disable RDP from being able to be used from outside of your network. RDP connections to terminal servers, or otherwise, to standalone desktops or servers. Remote Desktop Connections are the favorite attack vector for the SamSam group. Yes, even if you change ports and add some security mechanisms.
- Secure Your Backups
SamSam will attack and delete your backups with a file shredding tool, preventing even a data recovery company from recovering those backup files. As a rule of thumb, your primary backups should not be accessible from your network. Old reliable tapes are always a good solution in this case.
- Disk Activity Monitoring
Monitoring disk activity on crucial systems could lead to early detection, as the encryption process will usually produce a noticeable spike in read/write activity to disk.