The hacker group behind the notorious SamSam ransomware has attacked at least 67 different organizations using a new ransomware variant. Among the 67 entities, a total of 57 are located in the US and a quarter of the affected organizations are healthcare organizations, new research revealed.

SamSam ransomware and its authors were well known for other targeted attacks such as the attack on the City of Atlanta's municipal agency in March 2017 and on the medical-testing giant LabCorp in July the same year.

“SamSam continues to pose a grave threat to organizations in the U.S,” Symantec researchers said in a blog post. The firm also released data that revealed the organizations that have been targeted by SamSam ransomware in the last 10 months.

Stealthy and targeted ransomware

SamSam ransomware authors choose their targets carefully, which makes them different from other cybercriminals operating other common ransomware families. According to Symantec, SamSam relies on a unique infection vector, unlike other ransomware attacks that spread via spam phishing emails.

SamSam ransomware begins its attack by compromising the remote desktop protocol (RDP), using brute force attacks on networks or leveraging stolen credentials bought from underground forums. The ransomware also maintains a highly hidden profile after the initial infection to spread to many other computers in the network.

“The SamSam group’s modus operandi is to gain access to an organization’s network, spend time performing reconnaissance by mapping out the network, before encrypting as many computers as possible and presenting the organization with a single ransom demand,” Symantec researchers said.

Attacks targeting US organizations

Over the last 10 months, researchers have found evidence of SamSam targeting attacks against various organizations in the US, Portugal, France, Australia, Ireland, and Israel. More than 80 percent of them were found targeting US organizations, said Symantec researchers.

Meanwhile, over 24 percent of attacks in 2018 targeted the healthcare sector. Researchers suspect that the reason behind the healthcare sector having been so severely targeted could have been because the hackers found healthcare organizations easier to infect.

A vast number of local government organizations in the US were also targeted by the group. One of the organization was also involved in the administration of the US midterm elections.

“With the midterm elections in the U.S. taking place on November 6, the focus is naturally on cyber information operations and threats to voting data integrity,” Symantec researchers said.

SamSam’s attack techniques

SamSam ransomware author use ‘living off the land’ tactics to laterally move across networks. This also allows the cybercriminals to take advantage of various system operational features and administration tools used by the organization to compromise the target.

In various instances, researchers also found the malware authors drop two sets of SamSam ransomware variant. This was to ensure that in the event of one variant was detected, the other could be successful.

Stronger passwords and two-factor authentication should be used by organizations to protect against SamSam ransomware threats. As the ransomware infects via RDP, organizations should restrict access to public-facing ports.

“A successful SamSam attack will likely be highly disruptive to any affected organizations. In the worst-case scenario, if no backups are available or if backups are encrypted by SamSam, valuable data could be permanently lost in an attack. Even if an organization does have backups, restoring affected computers and cleaning up the network will cost time and money and may lead to reputational damage,” Symantec researchers said.

Cyware Publisher