DHS & FBI Alert Public Of SamSam Attacks In U.S.
By: Jim Stickley and Tina Davis
January 25, 2019
Earlier this month, US-CERT (Computer Emergency Readiness Team) posted an Alert on its website from the DHS (Department of Homeland Security) in conjunction with the FBI, about the notorious and thriving SamSam ransomware group. SamSam and the hackers behind it have made devastating ransomware attacks, particularly against educational institutions and hospitals in the US and other countries. The ransom demands are paid in bitcoin to remain anonymous and are necessary to restore computer systems that are locked, encrypted, and unusable. Once the ransom is paid, the key is promised to decrypt the data and restore systems.
Researchers discovered that although SamSam targets a range of industries, healthcare organizations in the US are the most common target right now. Symantec has found that out of 67 SamSam attacks this past year, 56 of those were in the US. And of those targeted, 24% were in healthcare. It’s widely believed that ransomware targets healthcare specifically because access to patient information is needed often on a second-by-second basis. Holding that data for ransom literally puts lives at risk, therefore ransom demands are more likely to be paid. Still other attacks have downed city services and police and other law enforcement agencies. According to a report by Sophos, the SamSam hacking group nets around $300,000 in ransom payments per month. The FBI, however, suggests not paying ransoms, believing payment only encourages the attacks to continue. Affecting the decision to pay or not may depend on an organization’s commitment to cybersecurity and frequent backups of their data. Those backups should be tested regularly to ensure proper function when needed.
There are currently no signs of SamSam slowing down even though two of its alleged members were indicted this year for creating and disseminating the ransomware. The US-CERT Alert from the DHS and FBI recommends many ways to minimize vulnerability to these attacks. Below are just a few suggestions.
- Never reply to email requests for financial or personal information. Instead, contact the person or the organization at the legitimate phone number or website. Do not use contact information provided in the email, and do not click on any attachments or hyperlinks in the email.
- Do not open suspicious email file attachments, even if they come from known senders. If an unexpected attachment is received, contact the sender to verify.
- Do not provide passwords, PINs, or other access codes in response to emails or unsolicited popup windows. Only enter such information into the legitimate website or application.
- Regularly apply system and software updates.
- Enable strong passwords and account lockout policies, and when possible, use two-factor authorization.
And of course, always make sure backups are completed regularly, stored separately from the network, and are properly functioning in case they are needed quickly.