ltechnologygroup.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.
The SamSam ransomware group seems to have gotten to a “great” start in 2018, hitting several high-profile targets such as hospitals, a city council, and an ICS firm.
Reported attacks include the one against the Hancock Health Hospital in of Greenfield, Indiana; Adams Memorial Hospital in Decatur, Indiana; the municipality of Farmington, New Mexico; and an unnamed ICS (Industrial Control Systems) company in the US, based on intel Bleeping Computer has received.
Hancock Health officials have admitted to paying the ransom, despite having backups, while the others have not commented how they remediated the incidents.
Evidence points to active SamSam ransomware campaign
In the three public incidents, victims said the ransomware locked files and displayed a message with the word “sorry.” The Farmington municipality has released a screenshot of this ransom note.
Bleeping Computer has tracked down this ransom note to recent SamSam infections. According to data provided by the ID-Ransomware service, there have been 17 submissions of SamSam-related files to the service in January alone.
The SamSam ransomware, also known as Samas, is not your stock ransomware that looks the same with every infection. SamSam is a custom strain that crooks use in targeted attacks.
The SamSam crew usually scans the Internet for computers with open RDP connections and they break into networks by brute-forcing these RDP endpoints to spread to more computers.
Ransom notes and extensions usually vary from victim to victim. Despite this, based on the screenshot shared by the Farmington city council, we can say that this particular SamSam version that uses the “0000-SORRY-FOR-FILES.html” ransom note has infected at least eight entities since December 26. Most of the victims are from the US, but a few are from Canada and India. Some victims reported files encrypted with the .weapologize extension.
Attackers made nearly $300,000
The Bitcoin wallet address used in this ransom note received its first transaction on December 25, and in the meantime, has received more money in what appear to be subsequent ransom payments.
The account currently holds 26 Bitcoin at the moment, valued at nearly $300,000. Most likely, the gang made more victims and even more money.
The current story should stand as a warning for companies running computers open to remote RDP connections. These computers should be secured with a strong and unique password in order to avoid crooks like the SamSam crew breaking into their systems.
On a side note, there has also been a ransomware incident that affected Allscripts, a provider of professional cloud-based EHR (electronic health records). The company admitted the incident, but we couldn’t link this attack with the current ongoing SamSam campaign.
At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.
Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group, https://www.ltechnologygroup.com.