New SamSam Ransomware Targets Healthcare, Government and ICS Networks

What Is It?

Researchers from Cisco TALOS recently released details of a new variant of the SamSam ransomware, which has affected organizations in several industry verticals, including government, healthcare and ICS.

Media reports have advised various healthcare organizations have been affected in recent days, including MedStar, a non-profit group that manages 10 hospitals in the Baltimore and Washington, DC area, Chicago-based AllScripts and Hancock Health Hospital, as well as Adams Memorial Hospital in Indiana. The government municipality of Farmington, New Mexico has also been impacted.

The initial infection vector has not yet been determined, though it is believed to be consistent with previous SamSam variants, where the attackers manually install the ransomware after compromising the corporate network and moving laterally to identify which business critical servers would make the best targets.

The ransomware consists of two components, a loader and an encrypted payload, both delivered as .NET executables. By design, the attackers must manually activate the ransomware using a randomly generated encryption key. SamSam is not a mass market ransomware such as WannaCry, but it is designed to be deployed on high value targets.

Researchers have determined at least one Bitcoin wallet is being used to collect ransom payments. Currently this wallet has collect 30.4 Bitcoin, which at the time of writing is worth approximately US$306K.

How Does It Propagate?

Unlike many other strains of ransomware, SamSam does not self-propagate.

Researchers have not yet determined with certainty the initial infection vector which then allowed the attackers to install the SamSam ransomware. However, they believe it may be compromised Remote Desktop Protocol (RDP) and VNC servers which gave the attackers their first foothold into entering corporate networks. This is another reminder that a determined attacker will find any weakness in your perimeter defense. Best practice dictates that RDP and VNC servers should not be accessible from the internet.

When/How Did BluVector Detect It?

BluVector’s patented machine learning malware detection engine detects SamSam ransomware as malicious. Regression testing on several samples has shown they would have been detected by BluVector an average of 12 months prior to their release.

All Threat Reports