The group behind the disruptive SamSam ransomware has attacked 67 different organizations in 2018, nearly a quarter of which were health care organizations, new research shows.
SamSam, which is deployed in a more targeted way than other ransomware, hobbled Atlanta’s municipal agencies in March, and it was reportedly the malware that struck medical-testing giant LabCorp in July.
On Tuesday, cybersecurity company Symantec released data showing that of the 67 organizations targeted by the SamSam group in the last 10 months, more than 80 percent are based in the United States.
“SamSam continues to pose a grave threat to organizations in the U.S.,” a Symantec blog post states. “The group is skilled and resourceful, capable of using tactics and tools more commonly seen in espionage attacks.”
It is unclear why the group has its sights on the health care sector, Symantec said. “The attackers may believe that health care organizations are easier to infect. Or they may believe that these organizations are more likely to pay the ransom.”
In January, after SamSam hit an Indiana hospital computer network, hospital officials paid hackers roughly $50,000 to unlock the data.
Allan Liska, senior security architect at cyberthreat intelligence company Recorded Future, has told CyberScoop that the health care sector has gotten better at defending against less discriminate forms of ransomware but is struggling to cope with SamSam’s targeted operations.
The group does its homework before going after an entire organization’s computer network.
SamSam’s “modus operandi is to gain access to an organization’s network, spend time performing reconnaissance by mapping out the network, before encrypting as many computers as possible and presenting the organization with a single ransom demand,” the Symantec blog states.
Security experts advise organizations to back up their data to defend against ransomware attacks. According to the new research, SamSam group is bringing its own backups to network showdowns.
In one February attack that Symantec studied, the hackers loaded two versions of SamSam, likely in case one iteration was detected by security protections, according to Symantec. Two days passed between evidence of an intrusion and the encryption of hundreds of the organization’s computers.