SamSam Teaches Hard Lessons about the Cost of Security Unpreparedness

On March 22, 2018, computer outages began to spread throughout critical systems operated by the city of Atlanta. The city’s information security team responded swiftly to the incident, which had the tell-tale signs of a ransomware attack. The municipality not only shut out employees from their systems but also took the precaution of shutting down many city services.

Atlanta was the highest-profile victim of SamSam, a ransomware operation that has infected scores of organizations. Since SamSam’s arrival on the scene, it’s believed to have infected more than 200 other businesses and groups, including hospitals, local governments, and healthcare firms.  Last fall, Symantec estimated that the SamSam hacking group has launched attacks not just in the U.S but also in France, Portugal, Ireland, Israel and Australia. It’s also proven lucrative for the perpetrators - by one estimate netting some $7 million in revenue for the cyber criminals over the last three years.

But if we examine SamSam within a larger perspective, we can view it more generally as another demonstration of the increasing propensity of cyber criminals to shift tactics to find vulnerabilities. In many cases, organizations were targeted by scanning networks searching for unguarded points of entry. The operators would then reconnoiter a victim's infrastructure before broadly infecting any systems. Like many other operations, the ransomware attacks use system tools to carry out the initial reconnaissance, which helps attackers avoid triggering defenses that are focused on detecting malware.

"A lot of attacks rely on finding a particular weakness," said Rod Piechowski, senior director for healthcare information systems with the Healthcare Information and Management Systems Society (HIMSS). "SamSam is different in that it uses existing tools that are part of your operating system, that can be used to do research on your network and your users, so it is harder to detect."

Healthcare in the Cross-hairs

SamSam is not new to the threat landscape. In late 2015 and early 2016, security firms noticed the first signs of the ransomware campaign, warning that opportunistic attackers were searching for – and then infecting - a variety of organizations, especially healthcare providers. In 2016, for example, went after Hollywood Presbyterian Medical Center, collecting a $17,000 ransom to return access to their information.

At one point, SamSam almost exclusively attacked healthcare firms. More than 18 percent of hospitals have had to respond to a ransomware attack, according to one study by the Health Information Trust Alliance, or HITRUST. And, in research conducted between November 2017 and the end of January 2018, the ransomware operation successfully collected bounties from 23 different companies, 90 percent of which were healthcare firms.  Overall, healthcare firms accounted for 24 percent of SamSam targets.

Other favored targets included municipalities. The city of Atlanta, for example, received a ransom demand for $51,000. Government officials refused to pay, as the FBI advises in these cases. But the city had to endure service disruptions and it took five days for the city to allows employees back on their computers. The incident also underscored the cost of being unprepared. What followed was one of most massive upgrade and clean-up efforts of a local government's digital infrastructure, costing Atlanta taxpayers an estimated $6 million over five months—a total that’s ultimately likely to increase to more than twice that amount.

The SamSam operators usually attacked systems running the remote desktop protocol (RDP) to gain initial access to targeted networks, according to the US Computer Emergency Readiness Team (US-CERT). In an advisory sent around last December, US-CERT noted that threat actors typically use either use brute force attacks or stolen login credentials, adding that the detection of RDP intrusions becomes all the more challenging because the malware enters through an approved access point.

Indeed, those very tactics were also used to compromise Hancock Health, an Indiana-based healthcare system, this January. The group obtained the login credentials of a vendor that provides hardware for one of the critical information systems used by the hospital, according to Steve Long, the organization’s president and CEO of the organization. He said the hackers used the compromised account credentials to target a server located in the emergency IT backup facility utilized by the hospital.

Tracking Down SamSam

In November 2018, the U.S. government indicted two men who carried out a 34-month-long international computer hacking and extortion scheme. Charging them with infecting 200 organizations, the U.S. Department of Justice alleged that the duo had inflicted more than $30 million in losses on victims.

That kind of return garners attention – and copycats. A similar campaign called Ryuk raked in almost $4 million in 5 months going after several businesses, including major newspapers. And like SamSam, the Ryuk operators – who have been linked to a cyber criminal gang - infiltrate vulnerable networks and wait up to a year to launch the malware.  

SamSam may have faded from the radar but the attacks testify to a permanent change in the threat landscape: When it comes to finding new ways to attack, cyber criminals have become adept at learning from each other and switching tactics when they land upon the next big thing. The success of SamSam and similar attacks will doubtless induce other cyber criminals to adopt a strategy based upon reconnaissance, compromise and infection. For enterprises and other organizations who will bear the brunt of those attacks, the best response is to remain prepared, keep their defenses up to date and commit the necessary resources to building up a robust security strategy.