SamSam Strikes Again

samsam atlanta
SamSam, a ransomware that hackers use in targeted attacks, strikes again – this time shutting down the City of Atlanta. Hackers using SamSam usually scan the Internet for computers with open RDP connections. Attackers break their way into large networks by brute-forcing these RDP endpoints and then spread to even more computers. Once they have a sufficiently strong presence on the network, attackers deploy SamSam and wait for the victim organization to either pay the ransom demand or boot them off their network. Read More

SamSam, a ransomware that hackers use in targeted attacks, strikes again –  this time shutting down the City of Atlanta. Hackers using SamSam usually scan the Internet for computers with open RDP connections. Attackers break their way into large networks by brute-forcing these RDP endpoints and then spread to even more computers. Once they have a sufficiently strong presence on the network, attackers deploy SamSam and wait for the victim organization to either pay the ransom demand or boot them off their network.

SamSam has been busy in 2018 so far. Several medical organizations including MedStar, Hancock Health Hospital, Adams Memorial Hospital and Allscripts so far. Hackers seem to be focusing in on cities and municipalities now.

On February 22, SamSam hit the Colorado Department of Transportation computers and encrypted files. City officials shut down more than 2,000 computers while they investigated the attack.

The group behind SamSam has made over $850,000 since December 2017. 

SamSam hits City of Atlanta

March 22, 2018 – The Mayor of Atlanta, Georgia has confirmed that several local government systems are currently down due to a ransomware infection and said the infection took root at around 5:40 AM, local time.

Mayor Keisha Lance Bottoms expects city departments to open tomorrow, but operate without IT support. Asked if the city plans to pay the ransom note, Mayor Bottoms said “We can’t speak to that right now. We will be looking for guidance from specifically our federal partners.”

Not all IT infrastructure were affected because the city was in the process of moving some systems to cloud services, and those were not affected.

How did this happen? 

According to experts, the cause was likely a port that should not have been open. The SamSam malware looks for certain critical files. It encrypts them with AES 256-bit encryption and asks for a Bitcoin to be sent to a Bitcoin wallet. The city has RDP exposed to the public, as well as VPN gateways, FTP servers, and IIS installations. Most of them have SMBv1 enabled, making the task of spreading the ransomware easier.

What next? 

Once the city recovers from the ransomware attack, the next step is what to do to keep it from happening again. Here’s what Jarvis recommends:

  • Turn off RDP. It should never be used on any public facing port and its use should be discouraged anywhere else on a network.
  • Turn on two-factor authentication. Brute force credential attacks won’t work if two-factor authentication is in place.
  • Perform regular audits of your external network for open remote access ports. You can use the Shodan browser for this.
  • Have robust credentials. Weak credentials make a break-in easier and faster.
  • Use whitelisting. That means keep a list of the sites on the internet where users are allowed to go, and a list of what sites can have access to your network.

We would like to add a few more suggestions:

  • Check for Vulnerabilities
  • Patch, Patch, Patch
  • Train Your HUMAN firewall!

As of today, some of the City of Atlanta’s computer systems are still shut down.  The hackers are demanding $51,000 to unlock the system. City officials are still trying to determine the full extent of the attack. We haven’t heard much from the City of Atlanta, which makes it even more concerning. 

Avoid Ransomware

Related Posts
FBI Warning: Recent Ransomware Attacks
recent ransomware attacks

The FBI released a warning about recent ransomware attacks. Find out more about those attacks and how to prevent them Read more

Using Machine Learning to Improve Endpoint Security

The threat landscape is as dangerous as ever. Machine learning, endpoint security will help improve the security of the most Read more

2017 Ransomware Report from Cybersecurity Insiders

The single biggest cybersecurity threat to both business and government organizations = Ransomware. Read more to see the recent reports.

Cybersecurity Issues That Concern Decision Makers Most

According to the FBI, the financial impact of cybercrime in general is hard to assess. But they estimate that ransomware Read more

Get The Latest Cyber News In Your Inbox

Cyber news and threat updates from our cybersecurity experts.

You have Successfully Subscribed!

Users love Cybriant on G2

You have Successfully Subscribed!