According to the Symantec experts, the group behind the SamSam ransomware has continued to launch attacks against organizations during 2018.
Security experts from Symantec published an interesting post on the evolution of the SamSam ransomware that in the last month was involved in targeted attacks against several organizations including the Colorado Department of Transportation (DOT) and the City of Atlanta.
According to the experts, the group behind the SamSam ransomware has continued to launch attacks against organizations during 2018, they observed fresh attacks against 67 different targets, most of them in the U.S.

The SamSam ransomware is an old threat, attacks were observed in 2015 and the list of victims is long, many of them belong to the healthcare industry. The attackers spread the malware by gaining access to a company’s internal networks by brute-forcing RDP connections.

Among the victims of the Samsam Ransomware, there is the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington area. Crooks behind the attack on MedStar requested 45 Bitcoins (about US$18,500) for restoring the encrypted files, but the organization refused to pay the Ransom because it had a backup of the encrypted information.

In April 2016, the FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware.

Back to the present, the Samsam Ransomware made the headlines in the first days of 2018, the malicious code infected systems of some high-profile targets, including hospitals, an ICS firm, and a city council.

Symantec pointed out that the SamSam ransomware mostly infected systems in healthcare (24% of victim organizations), likely because healthcare organizations are easier to compromise and the likelihood they will pay ransom is high.

SamSam is different from other ransomware, Symantec used the term “targeted ransomware” because it also performs extensive reconnaissance before launching the attack.

“SamSam specializes in targeted ransomware attacks, breaking into networks and encrypting multiple computers across an organization before issuing a high-value ransom demand.” reads the analysis published by Symantec.

“The vast majority of SamSam’s targets are located in the U.S. Of the 67 organizations targeted during 2018, 56 were located in the U.S. A small number of attacks were logged in Portugal, France, Australia, Ireland, and Israel.”

The SamSam crew is highly skilled and resourceful, experts compared their attacks with the ones carried out with cyber espionage groups.

“In order to carry out its attacks, the SamSam group makes extensive use of “living off the land” tactics: the use of operating system features or legitimate network administration tools to compromise victims’ networks.” continues the analysis.

“These tactics are frequently used by espionage groups in order to maintain a low profile on the target’s network. “

The hackers used freely available hacking tools like Mimikatz and also software like Microsoft Sysinternal PsInfo that allows the user to gather information about other computers on the network.

Experts close the post recommending the importance of backup of important data for combating ransomware infections.