There were 10 SamSam ransomware attacks since December 2017. The attacks were mostly on government and healthcare providers in the United States. There were other attacks reported in India and Canada.
One of the attacks occurred in January 2018 on AllScripts. Since the system of this EHR provider was down for several days, 1,500 medical practices were not able to access patient data. Some of the medical practices could not access patient data for one week.
Another SamSam ransomware attacked the City of Atlanta in March 2018. To stop the spread of the ransomware, the city had to shut down its IT systems. The attacker exploited a Windows Server Message Block VI vulnerability on a public-facing server allowing the installation of the ransomware. The WannaCry and NotPetya attacks last May and June 2017 exploited the same vulnerability.
Hancock Health was one of two hospitals in Indiana that experienced a SamSam ransomware attack. The Hancock management chose to pay the ransom instead of restoring the files from backups. It is to avoid disruption to its patient services. Two separate SamSam ransomware attacks happened to Colorado Department of Transportation. One attack was in February and another in March.
Erie County Medical Center was also attacked by the ransomware via an unpatched vulnerability. The hospital chose not to pay for ransom but had to wait six weeks before it could fully recover. Erie Country had to spend several million dollars as cost of fixing the system.
It would seem that ransomware gangs target the government, healthcare and education industries, but the attacks on HHS and Cisco Talos show its opportunistic nature. Because of the disruption to services and the cost of mitigating attacks, many of the healthcare services opt to pay ransom.
The attackers behind the SamSam ransomware use different attack methods. But the group is known to attack via the public-facing servers vulnerabilities and the compromised RDP/VNC servers (Remote Desktop Protocol/Virtual Network Computing). Some threat actors exploit open RDP connections and conduct brute force attacks on systems with weak passwords.
After gaining access to a server, ransomware is installed and spread laterally causing massive disruption. Even if organizations have backups of files and can restore the system, the disruption to business operations takes a while before full recovery. Hence, many choose to pay ransom and not wait. In one case, a ransom demand was issued to the City of Atlanta in the amount of $6,800 per infected endpoint.