Advertisement

SamSam ransomware group has hit 67 organizations in 2018, researchers say

SamSam continues to have the health care sector in its sights.
(Getty Images)

The group behind the disruptive SamSam ransomware has attacked 67 different organizations in 2018, nearly a quarter of which were health care organizations, new research shows.

SamSam, which is deployed in a more targeted way than other ransomware, hobbled Atlanta’s municipal agencies in March, and it was reportedly the malware that struck medical-testing giant LabCorp in July.

On Tuesday, cybersecurity company Symantec released data showing that of the 67 organizations targeted by the SamSam group in the last 10 months, more than 80 percent are based in the United States.

“SamSam continues to pose a grave threat to organizations in the U.S.,” a Symantec blog post states. “The group is skilled and resourceful, capable of using tactics and tools more commonly seen in espionage attacks.”

Advertisement

It is unclear why the group has its sights on the health care sector, Symantec said. “The attackers may believe that health care organizations are easier to infect. Or they may believe that these organizations are more likely to pay the ransom.”

In January, after SamSam hit an Indiana hospital computer network, hospital officials paid hackers roughly $50,000 to unlock the data.

Allan Liska, senior security architect at cyberthreat intelligence company Recorded Future, has told CyberScoop that the health care sector has gotten better at defending against less discriminate forms of ransomware but is struggling to cope with SamSam’s targeted operations.

The group does its homework before going after an entire organization’s computer network.

SamSam’s “modus operandi is to gain access to an organization’s network, spend time performing reconnaissance by mapping out the network, before encrypting as many computers as possible and presenting the organization with a single ransom demand,” the Symantec blog states.

Advertisement

Security experts advise organizations to back up their data to defend against ransomware attacks. According to the new research, SamSam group is bringing its own backups to network showdowns.

In one February attack that Symantec studied, the hackers loaded two versions of SamSam, likely in case one iteration was detected by security protections, according to Symantec. Two days passed between evidence of an intrusion and the encryption of hundreds of the organization’s computers.

 

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts