SamSam ransomware incidents (2018)
|Date||Major incidents on local governments reported in the first quarter of 2018. Earlier versions of the SamSam ransomware date back to 2015 (at the time also known as Samas and SamsamCrypt).|
|Suspected actor||The Dell subsidiary Secureworks Inc associated the SamSam ransomware with the threat actor Gold Lowell. This group or network of closely affiliated actors is known for using scan-and-exploit tactics. In November 2018, two Iranians were indicted in connection to the SamSam ransomware.|
|Target||Local governments, hospitals and health records firms. The SamSam ransomware targeted municipal governments in Colorado and New Mexico, as well as medical associations in Indiana, Virginia, New York and Buffalo. The media reported, in particular, the March 2018 attack on the municipal services in Atlanta.|
|Method||Infiltration of systems by exploiting a vulnerability in remote desktop protocols, and other public network components or by guessing passwords. SamSam assaults have involved oversight and they have been capable of adapting to the victim’s efforts to remediate. SamSam was updated frequently to escape antivirus detection and other endpoint defenses. The attackers asked for a ransom paid in Bitcoin. |
|Purpose||Financial interests. The amount of ransom was set carefully so as to make it affordable for the victim and yet worthwhile for the attackers.  The attackers offered to decrypt one non-essential system for free to demonstrate their ability to release the data if the ransom was paid.|
|Result||SamSam ransom collected an estimate of $1 million between December 2017 and March 2018. The exact total depends on the fluctuating value of Bitcoin.  The threat actor demanded for the city of Atlanta to pay about $51,000 in Bitcoin but it refused to pay. The total damage incurred by the city exceeded $17 million. Analysts have noted that such victims may rather pay the ransom than deal with the damage and risks of extended downtime of services.|
|Aftermath||Poor cybersecurity hygiene of cities was blamed for the success of the attack. A January 2018 report by the Atlanta’s City Auditor’s Office cited the city’s lack of compliance with security standards, in part due to a lack of resources.
Since attacking the municipality of Atlanta, the SamSam ransomware was not used again. The Department of Homeland Security warned about a “Ransomware Outbreak” and cautioned municipalities to back up their data, system images and configurations and keep them offline.  The attacks also led to further scrutiny of vulnerabilities in the voting system. Some cities in Florida paid the ransom in Bitcoin. The city of Baltimore initially refused to pay the ransom, but ended up paying $6 million. In July 2019, the U.S. Conference of Mayors adopted a resolution to not pay any more ransoms. The resolution argues that paying ransoms “encourages continued attacks on other government systems”.
|Analysed in||Scenario 14: Ransomware campaign|
Collected by: Nele Achten
- Secureworks, “SamSam Ransomware Campaigns”, 15 February 2018.
- Niyathi Bhat, “Gold Owell uses SamSam ransomware to terrorize SMBs”, ManageEnginge Blog, 2 March 2018.
- U.S. Department of Justice, “Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses”, 28 November 2018.
- Kenneth Kraszewski, “SamSam and the Silent Battle of Atlanta”, (2019) 11th International Conference on Cyber Conflict, 3.
- Lily Hay Newman, “The Ransomware That Hobbled Atlanta Will Strike Again”, wired, 30 March 2018.
- Steve Ragan, “SamSam explained: Everything you need to know about this opportunistic group of threat actors”, 18 April 2018.
- Kenneth Kraszewski, “SamSam and the Silent Battle of Atlanta”, (2019) 11th International Conference on Cyber Conflict, 5.
- Stephen Deere, “Confidential Report: Atlanta’s cyber attack could cost taxpayers $17 million”, 1 August 2018.
- Kim Zetter, “Why Hospitals Are the Perfect Targets for Ransomware”, wired, 30 March 2016.
- City of Atlanta Auditor’s Office, “Compliance Audit: ISO/IEC 27001 ISMS Precertification Audit”, January 2018.
- Manny Fernandez, David E. Sanger and Marina Trahan Martinez, “Ransomware Attacks Are Testing Resolve of Cities Across America”, 23 August 2019.
- David E. Sanger, Reid J. Epstein and Michael Wines, “States Rush to Make Voting Systems More Secure as New Threats Emerge”, 26 July 2019.
- Patricia Mazzei, “Hit by Ransomware Attack, Florida City Agrees to Pay Hackers $600,000”, 19 June 2019.
- Niraj Chokshi, “Hackers Are Holding Baltimore Hostage: How They Struck and What’s Next”, 22 May 2019.
- Luke Broadwater, “Baltimore transfers $6 million to pay for ransomware attack; city considers insurance against hacks”, 28 August 2019.
- Catalin Cimpanu, “US mayors group adopts resolution not to pay any more ransoms to hackers”, 11 July 2019.
- The U.S. Conference of Mayors, “The 87th Annual Meeting”, July 2019.