In 2015, SamSam ransomware came onto the scene like a bull in a china shop, causing millions of dollars in damages to healthcare firms, private companies, and entire cities. A recent analysis of the bitcoin-seeking malware shows that 223 victims have chosen to meet the ransom demands since the first SamSam variant was unleashed, with payments totaling nearly $6 million.
Cities Under Siege
The most well-known SamSam attack in the U.S. struck the city of Atlanta in March 2018. Considered one of the longest and most consequential cyber-attacks ever unleashed upon a major American city, the malware left 90% of the computers at the Department of Public Works inaccessible, and forced the court system to cancel dozens of cases, while city employees had to hand-write all reports. While the Atlanta SamSam attack is certainly one of the worst on record—costing the city an estimated $17 million to resolve, an amount far greater than the $51,000 SamSam hackers demanded—the city is not alone.
- 2018: Dallas’s alarm system is hacked, firing off tornado sirens at night for 1-2 hours resulting in panic and 4,000 calls to 911.
- 2017: Colorado’s Department of Transportation is forced to shut down more than 2,000 machines due to a SamSam attack; In Sacramento, 30 million files are deleted from the city’s regional transit system.
- 2016: San Francisco’s railway system is struck, forcing the city to allow people to ride for free until the system is recovered.
What Is SamSam and Who’s Behind It?
Many ransomware crews are unfocused, with no specific target. They spread their malware indiscriminately, with the thought being that if they infect enough people, eventually someone will pay up (the ransom is almost always minimal—$500-$1000—to encourage payment). The group behind SamSam, however, is extremely focused, making their brand of extortion more lethal. SamSam isn't commodity ransomware—it’s developed privately and updated often (it’s now on its third incarnation) to avoid antivirus detection. SamSam encrypts files late at night when victims won't be at work to monitor their network. Ransom notes and bitcoin payment websites are hosted on Tor (a network that allows anonymous communication) and are always unique to each victim. If the encryption process is detected it self-destructs, leaving little to no evidence to be analyzed.
Due to this lack of evidence, the group remains a mystery. Unlike other malware crews who have been caught bragging about their exploits on dark web forums, SamSam hackers remain mum and continues to operate outside the reach of law enforcement. In 2016, the FBI issued a flash alert asking for businesses to help with information about the ransomware (which was at the time referred to as Samas) and even this proved futile.
SamSam Ransomware: To Pay or Not to Pay
The fact that the City of Atlanta paid $17 million to resolve the SamSam situation rather than pay the $51,000 caused many to raise any eyebrow. Why not just pay up? Because it’s akin to negotiating with terrorists. Cybersecurity experts and law enforcement officials have been adamant that organizations should not pay the ransom, arguing that it will only encourage further attacks.
Of course, refusing to pay is easier said than done. Attempting to access files only to find that they’ve been encrypted is a frightening situation, and worst-case scenarios immediately come to mind—sensitive information being leaked to the public, loss of customers and customer trust, and even loss of the entire business. Fear, combined with an inexpensive ransom, can have many organizations opting to pay up, but this may be changing as prevention becomes more prevalent.
8 Ways to Protect Yourself from SamSam
With the SamSam group continuing to elude law enforcement officials, attacks show no signs of slowing down. Protection is the only means of prevention, as the group is “generally going for low-hanging fruit,” says Peter Mackenzie, Global Malware Escalations Manager at Sophos. So, what can be done?
1. Educate employees
According to a Help Net Security survey, over 30% of workers are not familiar with ransomware, and clicking on suspicious links can unleash malware across the whole network.
2. Employ content scanning and filters
Don’t rely on a “human firewall.” A scanner or filter on mail servers will check for known threats within inbound emails and block any attachments that could be dangerous.
3. Install antivirus
Ensure AV is current across all endpoints. It’s not impenetrable, as malware is always evolving, but it is a solid first line of defense.
4. Update regularly
Regular updates help maintain the integrity of your systems and install patches that eliminate weaknesses that malware aims to exploit. Patches were largely responsible for stopping further damage from the Meltdown and Spectre bugs in early 2018.
A daily back-up of important data gives attackers a lot less leverage; rather than pay up, victims can restore previously saved data with minimal loss (learn about the 3-2-1 backup strategy).
6. Restrict privileges
Not every employee needs all privileges; they only need to be able to perform their work-related tasks.
7. Purchase cyber insurance
These policies generally cover your business’ liability for breaches involving customer information such as Social Security, credit card, and driver’s license numbers, in addition to health information.
8. Work with a cloud services provider
Managing IT can be a burden, especially for small and mid-size organizations. A reputable managed cloud services provider can help maintain and monitor the security of your data and assist in recovery in the event of an attack or breach.
They say an ounce of prevention is worth a pound of cure. With ransomware on the rise and costing millions every year, organizations must remain vigilant. Consider some or all of the protective measures outlined above, and if you’re considering partnering with a cloud provider to boost your security, speak with the experts at DSM today. As Florida’s preferred cloud provider, we’re here to help.