The group behind the SamSam ransomware has continued to mount attacks against entire organizations during 2018, with fresh attacks seen against 67 different targets, mostly located in the U.S.
SamSam specializes in targeted ransomware attacks, breaking into networks and encrypting multiple computers across an organization before issuing a high-value ransom demand. The group is believed to be behind the attack on the city of Atlanta in March, which saw numerous municipal computers encrypted. The clean-up costs for the attack are expected to run to over $10 million.
The group was also linked to the attack on the Colorado Department of Transportation, which resulted in clean-up costs of $1.5 million.
During 2018, Symantec has to date found evidence of attacks against 67 different organizations. SamSam targeted organizations in a wide range of sectors, but healthcare was by far the most affected sector, accounting for 24% of attacks in 2018.
Why healthcare was a particular focus remains unknown. The attackers may believe that healthcare organizations are easier to infect. Or they may believe that these organizations are more likely to pay the ransom.
A number of local government organizations in the U.S. were also targeted by the group and at least one of these organizations is involved in administering elections. With the midterm elections in the U.S. taking place on Nov. 6, the focus is naturally on cyber information operations and threats to voting data integrity. However, ransomware campaigns such as SamSam can also be significantly disruptive to government organizations and their operations.
The vast majority of SamSam’s targets are located in the U.S. Of the 67 organizations targeted during 2018, 56 were located in the U.S. A small number of attacks were logged in Portugal, France, Australia, Ireland, and Israel.
While most ransomware families are spread indiscriminately, usually via spam emails or exploit kits, SamSam is used in a targeted fashion. The SamSam group’s modus operandi is to gain access to an organization’s network, spend time performing reconnaissance by mapping out the network, before encrypting as many computers as possible and presenting the organization with a single ransom demand.
The attackers have been known to offer to decrypt all computers for a set ransom and/or offer to decrypt individual machines for a lower fee. In many cases, ransom demands can run to tens of thousands of dollars to decrypt all affected computers in an organization. If successful, these attacks can have a devastating impact on victim organizations, seriously disrupting their operations, destroying business critical information, and leading to massive clean-up costs.