Security Alert
Jack Danahy
Mar 2017

Ransomware Attack Costs Idaho County $100,000

Key Details

  • Type of attack: Ransomware (Samas / SamSam)
  • Attack vector: Brute force login via an open port on a server
  • Damage/costs: $3,500 paid ransom, nearly $100,000 in recovery costs
  • empty
  • empty
  • empty
  • empty
  • empty

Stop ransomware attacks other solutions miss
Get protected

On February 15, employees for Bingham County, Idaho, discovered they were locked out of crucial systems involved in dispatching emergency responders.

IT staff were woken up at 4am and called in to assess the situation. They quickly learned ransomware had encrypted the county servers, making computer systems inaccessible. A link was left behind in every folder that directed them to a ransom note that announced all files had been encrypted with RSA-2048 encryption. The only way to recover the files was with a private decryption key. And the only way to get that was to pay the criminals 28 Bitcoins, roughly $28,000.

samsam ransom note.jpg

Print-out of ransom screen from Bingham County attack. Source: East Idaho News


How attackers got in

According to an IT contractor who was called in to address the incident, the criminals were able to find an open port on the county’s servers that was exposed to the internet. From there, it was simply a matter of using a brute force attack to crack the password and gain access, something that automated tools can allow hackers to do in a matter of hours, minutes, or — in the case of default or extremely simple passwords — seconds.

“They kept doing that until they were able to get administrative rights,” the contractor said. “When they got those rights, they dumped their program on us and encrypted everything.”

Based on the ransom note left behind, the ransomware appears to be Samsam, a strain that gained prominence in 2016 for targeting hospitals via unpatched server vulnerabilities.

Recovery attempt fell short — not all servers were backed up

County officials initially sought to avoid paying the ransom, believing they would be able to recover all the encrypted data thanks to having multiple backup systems in place. Unfortunately, three servers could not be restored from backup.

Note: They’re not alone. In a survey Barkly conducted with companies that had experienced ransomware attacks, less than half were able to fully recover all their data from backup. Find out why.


In order to recover the information on those three servers, the county paid three Bitcoin, at that time roughly $3,500, and were provided the decryption key. Fortunately, the county carried cyber insurance through the Idaho Counties Risk Management Program (ICRMP), which reportedly mitigated most of the cost of the ransom.

$100,000 in recovery costs — the damage is still adding up

Despite being able to recover the encrypted information by paying the ransom, however, restoring the servers from backup and getting everything back to normal is an ongoing task consuming considerable time and resources.

“We basically had to completely rebuild our servers,” another IT contractor explained. “The removing of the encryption will take days to complete due to the massive amount of information affected.”

The IT team calculated the cost of repairing the servers nearing the $100,000 mark, and estimated it could take until 2018 to be 100 percent back to normal.

Lessons learned — how to protect your organization from a similar brute-force ransomware attack

This incident appears to be the latest in a growing number of attacks where criminals capitalize on open ports and weak credentials to deliver ransomware. A spike in similar brute-force attacks was spotted by researchers at Trend Micro in January, this time exploiting open Remote Desktop Protocol (RDP) ports and spreading Crysis ransomware.  

It marks a slight shift in strategy from the 2016 Samsam attacks that exploited unpatched JBoss vulnerabilities to gain access to hospital servers and networks, but the general concept is the same — rather than trying to sneak past heavily guarded gateways, attackers are simply walking through doors that are already partially open.

Step 1: Hold the door

The obvious first step to defending against this kind of attack is to find your open doors and close them (if possible).

  • Identify all the open ports and services on your network

    Port scanning tools like Nmap can help you find open ports on your network, and it’s good to keep in mind criminals have access to these tools, as well. One particular port scanning tool, masscan, boasts that it can scan the entire Internet in under 6 minutes. It’s easy to see how hackers can quickly amass a large target list of potential victims.

    Here’s a tutorial from DigitalOcean that walks you through how to test your firewall configuration and see what your network looks like to an attacker.
  • Make brute-force login attempts more difficult

    At a bare minimum, you should be enforcing strong password policies (though that’s easier said than done). In addition, you can consider implementing an account lockout policy, where, after a certain number of failed login attempts, accounts get locked down.

Step 2: Add the capability of stopping attacks during runtime

Once malware is deployed, there’s still time to prevent the attack from doing any damage.   

  • Employ runtime malware defense

    Runtime Malware Defense (RMD) is a new type of endpoint protection that serves as a last line of defense against malware in the process of executing. By monitoring activity across multiple layers of the system in real-time, and looking for the common behaviors used by malware to gain access and infect the system, RMD is able to block attacks that have slipped past other defenses, before they do any harm.  

    See Barkly's runtime malware defense in action against Cerber ransomware.

Step 3: Be ready, should any of your systems and accounts get turned against you

There are several things you can do in advance to increase your odds of being able to isolate, contain, and limit the damage of an infection.  

  • Don’t give users admin accounts

    It’s good general security advice to practice the principle of least privilege whenever possible by limiting access and authorization to the bare minimum. That way, when a user gets compromised, attackers won’t automatically find themselves with keys to your entire kingdom.


Step 4: Make sure you’re truly capable of restoring lost data

Unless you've actively tested recovering your systems from backup you can't assume that's an option. Even then, it's a last resort you don't want to be forced to rely on. That said, setting up backup properly is obviously a must. 

  • Embrace a 3-2-1 backup strategy

    That means having three copies of your data stored on two different types of media, one of which is offsite. As the attack against Bingham County illustrated, it’s also important to confirm your backup strategy accounts for all of your servers and devices.

    Finally, don’t forget the principle of Schrodinger’s backup — the condition of any backup is unknown until a restore is attempted. Make sure you test it before you need it.


Bottom line: Ransomware attackers will take advantage of any opening they can find, and often it's simple things that go overlooked that provide them with their way in. Following the steps above can help us ensure we're not doing them any favors and that we're better prepared to address attacks that do get through. 


Feature Photo by Erkan Utu

Jack Danahy

Jack Danahy

Jack is a 25-year-veteran in the security industry. Prior to co-founding Barkly he was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.