Security Alert
Jonathan Crowe
Jan 2018

SamSam Ransomware Attacks Surging, Net $325,000 in Past 4 Weeks


Successful attacks targeting hospitals, city municipalities, and other organizations have already netted attackers $325,000. Experts worry the campaign is just getting started.

Key Details

  • What's happening:

    A series of high-profile malware infections has been tied to the SamSam ransomware group. Victims include electronic health records provider Allscripts, an unnamed Industrial Control Systems (ICS) company, and two Indiana hospitals, among others. 

  • Attacks are targeted: SamSam isn't spread indiscriminately. Instead, attackers typically gain access to target servers via weak or stolen credentials, often identifying prospective victims by scanning the Internet for computers with exposed Remote Desktop (RDP) connections. The group has historically honed in on healthcare providers, but these attacks indicate they're branching out.
  • At least $325,000 in Bitcoin ransom paid so far: One Bitcoin wallet address included in the ransom notes indicates 30.4 Bitcoin (roughly $325,304) has been deposited and withdrawn from the account. It's likely the attackers could have received more deposits across multiple accounts. 
  • One hospital confirmed paying $55,000 ransom: Officials at Hancock Health, a regional hospital in Indiana, explained they paid attackers $55,000 because restoring from backups would have taken days or weeks when they needed systems up sooner. After the fact, it was determined backup files had been corrupted, so restoring from backup wouldn't have been an option in any case.
  • Protecting your company: SamSam is one of a growing list of ransomware families that primarily infects victims via exposed RDP ports. Securing RDP is therefore key.
  • Protection against this and new ransomware variants: Barkly blocks ransomware with protection that goes above-and-beyond what AV provides. No more waiting for signatures and updates — learn how Barkly uses a smarter way of defending endpoints
  • empty
  • empty

Barkly blocks SamSam before any damage is done
See it in action

2018 may just three weeks old, but already we're seeing reports of a dangerous ransomware campaign in full swing. 

So far, confirmed victims include Indiana-based Adams Memorial Hospital, electronic health records (EHR) provider Allscripts, an unnamed Industrial Control Systems (ICS) company, and the municipality of Farmington, New Mexico. The most high-profile case, however, is another Indiana-based hospital — Hancock Health — which made headlines for its decision to pay a $55,000 ransom in order to regain access to its files and restore its systems.  

The ransomware used in these attacks has been identified as a new variant of SamSam, a family of ransomware with a long history of infecting healthcare providers in particular. Not only does this latest campaign indicate SamSam operations are alive and well, it also suggests the attackers behind SamSam are now targeting organizations in other sectors, as well. 

Understanding the SamSam attack chain: How victims are getting infected

Many of the recent victim organizations have not released details confirming how they were infected, but SamSam has historically been used in targeted attacks designed to gain initial access to vulnerable servers and spread the ransomware manually from there. 


Click to expand attack diagram

SamSam gained initial notoriety in 2016 for exploiting a vulnerability in JBoss application servers and using it to gain footholds in victim networks. After experiencing initial success targeting the healthcare industry, attackers expanded their campaigns to attack schools and government organizations, as well

In 2017, SamSam resurfaced, this time targeting organizations with Remote Desktop Protocol (RDP) connections exposed. RDP was developed by Microsoft as a remote management tool. It's commonly exposed in internal networks for use in administration and support, but when exposed to the wider Internet it can be a dangerous beacon for attackers. 

By using port scanning tools like masscan, attackers can easily hone in on systems with open ports (port 3389 is standard for RDP). Once found, the standard drill is to try to gain access by conducting brute force attacks designed to guess weak or default passwords. 

In April 2017, attackers used a RDP brute force attack to infect Erie County Medical Center, a major hospital in Buffalo, New York, with SamSam. More than three months later, the hospital estimated the total cost of recovery from the attack had reached $10 million


A high-level history of SamSam ransomware campaigns — Click to expand

The one recent infection we do have more details on is Hancock Health. According to a surprisingly detailed and transparent blog post written by CEO Steve Long, the attack on Hancock Health began at approximately 9:30pm on Thursday, January 11, 2018. Attackers were able to use login credentials stolen from a third party hardware vendor to access a server located in the hospital's emergency IT backup facility. From there, they used "remote execution techniques" to deploy SamSam on other machines, encrypting "files associated with the most critical information systems of the hospital."

Hancock Health isn't only victim to pay the ransom


SamSam ransom note left behind after infecting the City of Farmington, NM. Source: Daily Times

Giving in to attackers' demands is something no company executive or IT professional wants to consider. In the case of the Hancock Health infection, however, the executive leadership team determined recovering encrypted data from backup wasn't going to be a reliable or fast enough option, especially since the source of the infection was a server at the backup site. 

According to Hancock CEO Steve Long, the decision to pay the ransom simply made more sense from a business standpoint. "These folks have an interesting business model," he said of the attackers. "They make it just easy enough. They price it right."

Afterwards, it was determined that "core components of the backup files...had been purposefully and permanently corrupted by the hackers." So recovering from backup wasn't actually an option the hospital could have chosen in any event.


Hancock Regional Hospital notice alerting employees all computers were shut down. Source: Daily Reporter

Even after paying the attackers and receiving the decryption keys, getting the hospital network back up and running required around-the-clock work from IT staff and multiple outside security firms. Recovery efforts stretched through the weekend, during which time the hospital stayed open but operated on downtime procedures, including writing patient documentation on paper by hand.

Targeting healthcare, government, and other organizations with little tolerance for downtime is a calculated decision that pays off for criminals more often than we'd like to think. According to the Bitcoin wallet address referenced in the ransom note left behind on City of Farmington computers, there were a total of 14 deposits between December 25, 2017 and January 20, 2018. That means 14 victims made the decision to pay the attackers. The total amount transfered adds up to roughly  $325,000, and it's very likely the attackers behind SamSam are using more than one wallet. 

That kind of money is all the encouragement criminals need to ramp up their attacks. It's clear SamSam infections are revving up, so it's important for healthcare providers and organizations in all verticals to be ready to identify and block attacks before they can do any damage. 

Preventing SamSam infections

As the attack on Hancock Health makes disturbingly clear, focusing solely on backup and recovery puts organizations in an extremely risky, make-or-brake position. Instead, IT leaders need to ensure they're doing everything they can to prevent successful infections in the first place. 

With that in mind, here are two things you can do now to reduce your risk of SamSam attacks:

1) Secure RDP

Remote Desktop has become one of the most popular tools for attackers to abuse. Make sure you secure it by doing the following:

  • Restrict access behind firewalls and by using a RDP Gateway, VPNs
  • Use strong passwords and two-factor authentication
  • Limit users who can log in using remote desktop
  • Implement an account lockout policy to help thwart brute force attacks  

2) Augment or replace your AV with smarter endpoint protection


Click to expand

Today's advanced attacks bypass antivirus and whitelisting solutions by leveraging new malware samples alongside legitimate system admin tools. To stop these attacks, endpoint security solutions need the ability to see and block malicious activity.

Barkly has the deepest visibility of any endpoint agent, monitoring processes across user space, the OS, and the CPU. See it in action vs. SamSam below:

Samsam.gifWe'll be following future SamSam campaigns closely, and will share details here on the blog. Subscribe to get updates delivered straight to your inbox. 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


Close the gaps in your security

See how Barkly blocks attacks other solutions miss.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.