SamSam Ransomware Hits Hospitals, City Councils, ICS Firms [source: bleepingcomputer]

23 Jan 2018

No Comments

1545

The SamSam ransomware group seems to have gotten to a “great” start in 2018, hitting several high-profile targets such as hospitals, a city council, and an ICS firm.

Reported attacks include the one against the Hancock Health Hospital in of Greenfield, Indiana; Adams Memorial Hospital in Decatur, Indiana; the municipality of Farmington, New Mexico; cloud-based EHR (electronic health records) provider Allscripts; and an unnamed ICS (Industrial Control Systems) company in the US, based on intel Bleeping Computer has received.

Hancock Health officials have admitted to paying the ransom, despite having backups, while the others have not commented how they remediated the incidents.

Evidence points to active SamSam ransomware campaign

In the three public incidents, victims said the ransomware locked files and displayed a message with the word “sorry.” The Farmington municipality has released a screenshot of this ransom note.

Bleeping Computer has tracked down this ransom note to recent SamSam infections. According to data provided by the ID-Ransomware service, there have been 17 submissions of SamSam-related files to the service in January alone.

The SamSam ransomware, also known as Samas, is not your stock ransomware that looks the same with every infection. SamSam is a custom strain that crooks use in targeted attacks.

The SamSam crew usually scans the Internet for computers with open RDP connections and they break into networks by brute-forcing these RDP endpoints to spread to more computers.

Ransom notes and extensions usually vary from victim to victim. Despite this, based on the screenshot shared by the Farmington city council, we can say that this particular SamSam version that uses the “0000-SORRY-FOR-FILES.html” ransom note has infected at least eight entities since December 26. Most of the victims are from the US, but a few are from Canada and India. Some victims reported files encrypted with the .weapologize extension.

For more, click here.