The Cost of SamSam Ransomware Attacks: $17 Million for the City of Atlanta

The SamSam ransomware attack on the City of Atlanta was initially expected to cost around $6 million to resolve: Substantially more than the $51,000 ransom demand that was issued. However, city officials now believe the final cost could be around $11 million higher, according to a “confidential and privileged” document obtained by The Atlanta Journal-Constitution.

The attack has prompted a complete overhaul of the city’s software and systems, including system upgrades, new software, and the purchasing of new security services, computers, tablets, laptops, and mobile phones.

The Colorado Department of Transportation was also attacked with SamSam ransomware this year and was issued with a similar ransom demand. As with the City of Atlanta, the ransom was not paid. In its case, the cleanup is expected to cost around $2 million.

When faced with extensive disruption and a massive clean up bill it is no surprise that many victims choose to pay the ransom. Now new figures have been released that confirm just how many victims have paid to recover their files and regain control of their computer systems.

223 SamSam Ransoms Paid: Almost $6 Million Generated

A recent analysis of the cryptocurrency wallets used by the threat actor behind the SamSam ransomware has shown there have been 223 ransom payments made by victims in the two and a half years since the release of the first SamSam ransomware variant. The payments almost total $6 million, more that six times the amount previously thought to have been earned by the threat actor behind the attacks.

The figures come from Sophos, which has recently teamed up with a leading cryptocurrency tracking firm, to investigate the attacks.

It was initially thought that the attacks were primarily being conducted on healthcare organizations, educational institutions, and government agencies, although the recent analysis has shown the private sector has attracted the majority of attacks. Healthcare organizations are obliged to report the attacks under HIPAA Rules, which is why it seemed like they were extensively targeted.

26% of all attacks have been on healthcare firms. The majority of attacks have been on private companies and have not been reported. Many attacked firms have chosen to quietly pay the ransom demand.

No Sign of SamSam Ransomware Attacks Slowing Down

Several cybersecurity firms have reported a slowdown in ransomware attacks as threat actors switch to spreading cryptocurrency mining malware due to the higher potential for profits. However, there has not been any slowdown in SamSam ransomware attacks.

On average, one SamSam ransomware attack is conducted a day and the attacks have a high success rate. With ransom demands of around $50,000 issued for each infection, and an average of $187,500 earned each month, it is unlikely that the attacks will stop any time soon.

SamSam ransomware infections do not occur via spam or phishing emails, instead companies are attacked through the exploitation of vulnerabilities and recently through brute force attacks on remote desktop protocol connections.

Access is gained to the network and the attacker manually moves laterally using standard administration tools rather than NSA exploits. The malicious payload is deployed on as many computers and servers as possible before the encryption routine is started. The attacks tend to take place at night when there is less chance of them being detected and blocked.

This quiet, stealthy method of attack ensures a high rate of success compared to the noisy spam-delivered campaigns. Sophos believes the attacks are the work of a single individual.

How to Block SamSam Ransomware Attacks

Vulnerability scans and penetration testing can help to identify vulnerabilities before they are exploited and prompt patching is essential. Multi-factor authentication should be implemented, intrusion detection systems deployed and correctly configured, access logs should be routinely checked, admin privileges should be limited, and regular backups should be made with at least one copy stored off-site and offline.

Access to RDP needs to be restricted and remote connections should ideally only be made through VPNs, which also need to be kept up to date. If RDP is not required it should be disabled.

If RDP is enabled, rate limiting should be used to lock out users after a set number of failed attempts to block brute force attempts to gain access. Naturally practicing good password hygiene is also important, default passwords should be changed, strong passwords or passphrases used, and passwords should be changed at regular intervals.

It is also wise to change RDP connections from the standard TCP/3389 port and it is similarly advisable not to have RDP connections public-facing to the internet.

Sophos notes that the nature of SamSam ransomware attacks mean that simply backing up files is not enough to ensure a quick recovery. SamSam ransomware not only encrypts files, but also application configuration files. Even if files are restored it is likely that applications will fail to work.

The only way of ensuring a full recovery apart from paying the ransom is to rebuild affected machines. It is therefore important that companies have a plan for such an eventuality if they are to avoid having to pay the ransom.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.