SamSam, the ransomware that had a significant impact on the city of Atlanta earlier in the year, has continued its campaign of attacks against entire organizations, striking 67 targets in 2018, with most of them located in the US. The costs of cleaning an event like SamSam can be significant. For example, the clean-up costs for the Atlanta attack are expected to run over $10 million.

According to leading anti-virus company Symantec, SamSam is targeting healthcare organizations (24% of victim organizations are in that segment). SamSam is different than other ransomware attacks in that it infects an organization and performs extensive reconnaissance across the target network before launching the attack, which typically encrypts data on as many different systems as possible.

It then demands a substantial ransom to unencrypt all of the organization’s computers. In many cases, ransom demands can run to tens of thousands of dollars to decrypt all infected computers.

Even if you pay the ransom, there’s a 20% chance the hackers won’t restore your encrypted data.

Experts note that while most ransomware families are spread indiscriminately, usually via spam emails or exploit kits, SamSam is used in a targeted fashion. The SamSam group’s method of operation is to gain access to an organization’s network, spend time performing reconnaissance on the network and then encrypt as many computers as possible before presenting the organization with a single ransom demand.

Unlike many Ransomwares, the results of an infection may not be apparent immediately. For example, in one attack that took place in February 2018, 2 days passed between the first evidence of intrusion and the eventual encryption of hundreds of computers in the targeted organization.

The group behind SamSam is skilled and resourceful, capable of using tactics and tools more commonly seen in espionage attacks. The group was also linked to the attack on the Colorado Department of Transportation, which resulted in clean-up costs of $1.5 million.

To effectively defend your organization against attacks from SamSam and other malware, it’s important that you have a good understanding of what assets you have, where they are located and what is installed on them to better protect them.

Backing up important data is the cornerstone of network defense against ransomware infections. However, as there have been cases of ransomware encrypting backups, it should not be a replacement for a robust security strategy. Multi-layer malware detection is key as well as enhanced perimeter defenses and network traffic analysis so your IT team can watch for unusual activity on your network.

Victims need to also be aware that paying the ransom does not always work. Attackers may not send a decryption key, could poorly implement the decryption process and damage files or even deliver a larger ransom demand after receiving your initial payment.