Colorado Department of Transportation is the latest state department to be hit by a ransom-demanding infection, and this time it is the infamous SamSam Ransomware. This devious threat was first discovered in 2015, but it did not gain attention until early 2016 when it hit the MedStar network, which, at the time, managed 10 hospitals in the Baltimore, Maryland, and Washington. The ransom that the creator of the infection demanded was 45 Bitcoins, which, back then, was just $18,500. If this much was requested today, the victim would be dealing with a ransom of nearly $450,000. Throughout the years, the attackers behind this malicious threat have not seized, and at least two major targets occurred within just this last month. Two things are clear: Ransomware is not going away, and we still fail to protect ourselves against the malicious attacks.
The malicious SamSam Ransomware is not the kind of threat that is targeted at regular Windows users. Instead, its creator is using it to terrorize state departments and organizations. Last month, we saw the reemergence of this malware when it attacked the Hancock Health hospital in Greenfield, Indiana. According to a ZDNet report, the infection exploits unsecured internet-facing systems – the ones with outdated applications and software – to spread the infection. It was recently reported that the attackers hiding behind SamSam Ransomware had extorted at least $350,000 in the past few months, but the actual number could be much bigger. Hancock Health on its own paid a ransom of $55,000 after the infection slithered in, infected multiple systems on the network, and corrupted hundreds of patient records. It was reported that over 1,400 files were corrupted after the attacker gained access to the system using third-party vendor's credentials via a remote-access portal.
Hancock Health’s CEO, Steve Long, stated that all records and files were backed up, and could have been recovered; however, it would have taken too long, and the cost of it would have been too high, which is why the decision to make the payment was made. Hancock Health was lucky because the attackers restored files after the payment of 4 Bitcoins was made. In the grand scheme of things, this ransom is not that big for an organization that big, which is why it is not surprising that the ransom was paid. What is surprising is that files were decrypted. For example, the Heart Hospital in Wichita, Kansas was also affected by a file-encrypting ransomware back in 2016, and although the hospital paid the ransom, the files were not restored. There are more and more instances recorded where ransomware hit hospitals, and while it all might not be as dramatic as depicted in the ABC’s hospital drama, “Grey’s Anatomy” (in the “Out of Nowhere” episode, a ransom of $20 million is requested), such attacks can disrupt patient care, and that is why hospitals need to take better security measures.
The latest victim of the SamSam Ransomware is the Colorado Department of Transportation (CDOT). The infection was first discovered on Wednesday, and the department is still dealing with the infection. State’s spokeswoman, Brandi Simmons, has informed that the ransom will not be paid, and that the department is equipped to run without computers for the time being. The FBI is involved in the investigation, and it is hoped that the issues can be resolved soon. The good news is that cameras, message boards, CoTrip, and alerts regarding traffic are run without any disruption, and so commuters should not be affected by the issue. In the meantime, a security patch was applied to ensure that the threat does not spread any further. Hopefully, the CDOT gets back on track soon, and the malicious SamSam Ransomware is removed successfully. Unfortunately, the threat will not seize until everyone takes care of their security.
Needless to say, the attackers behind SamSam Ransomware are earning a lot of money by infecting the systems and networks of systems that belong to health providers, state departments, and other major targets. This is why the infection is unlikely to go anywhere anytime soon. What should be done? First and foremost, it is imperative that every organization, department, company, business, and user applies security updates. While most ransomware threats spread using misleading emails, the devious SamSam Ransomware has proven that systems running outdated apps and software can be infected as well. Staying on top of security on a day-to-day basis should be taken seriously because any new security backdoor and loophole could be exploited by remote attackers. Overall, prevention is key because once in, this malware wreaks havoc, and, unless all files are backed up, the victims might have no other option but to kneel to cyber criminals.
References:
Ahearn, C. April 18, 2016. Held for Ransom: A case study of a recent ransomware attack. RSA.
Chuang, T. February 21, 2018. SamSam virus demands bitcoin from CDOT, state shuts down 2,000 computers. The Denver Post.
Osborne, C. January 17, 2018. US hospital pays $55,000 to hackers after ransomware attack. ZDNet.
Palmer, D. February 15, 2018. This lucrative ransomware campaign secretly surveys vulnerable networks to maximise infections. ZDNet.
Quinn, S. January 16, 2018. Hospital pays $55,000 ransom; no patient data stolen. Daily Reporter.