Sam Sam Ransomware

SamSam: Targeted Ransomware Attacks Continue

The group behind the SamSam ransomware (Ransom.SamSam) has continued to mount attacks against entire organizations during 2018, with fresh attacks seen against 67 different targets, mostly located in the U.S.

SamSam is a specialist in ransomware attacks. They break into networks and encrypt multiple computers within an organization before issuing high-value ransom demands. This group is suspected to have orchestrated the March attack on Atlanta, where many municipal computers were encrypted. The clean-up costs for the attack are expected to run to over $10 million.

The group was also linked to the attack on the Colorado Department of Transportation, which resulted in clean-up costs of $1.5 million.

Concentrated attention on the U.S.

Symantec has found evidence that 67 organizations were attacked in 2018. SamSam attacked organizations across many sectors. Healthcare was the most targeted sector. It was responsible for 24% of all attacks in 2018.

It is not clear why healthcare was chosen as a target. Attackers may think that healthcare organizations are easier targets to infect. They may also believe these organizations are more likely to pay the ransom.

The group also targeted several U.S. local government agencies. At least one of these organizations is involved in election administration. The midterm elections in the U.S. will take place on November 6th. With cyber information operations and threats affecting voting data integrity, the main focus naturally shifts to cyber information operations. Ransomware campaigns like SamSam can be disruptive for government agencies and their operations.

SamSam targets are overwhelmingly located in the United States. 56 of the 67 organizations that were targeted in 2018, we’re located in the U.S.

Ransomware targeted

SamSam is targeted, unlike most ransomware families that are distributed randomly via exploit kits or spam emails. SamSam’s method of operation is to gain access and map out an organization’s network before encrypting all computers. Finally, the group presents a ransom demand to the organization.

There have been instances when attackers offered to decrypt all computers in exchange for a set ransom or offer to decrypt individual machines at a lower price. Ransom demands can reach into the thousands in some cases to decrypt all computers within an organization. These attacks, if successful, can cause serious disruption to victim organizations and result in the loss of business-critical information.

SamSam’s compromises with organizations

SamSam’s attackers go to great lengths to infect as many computers in an organization as possible. An attack can be carried out using multiple software tools and it may take several days.

To carry out its attacks, the SamSam group makes extensive use of “living off the land” tactics: the use of operating system features or legitimate network administration tools to compromise victims’ networks.

Espionage groups often use these tactics to keep a low profile on their target’s network. They hope to conceal their activities by making them appear legitimate.

In one instance, for example, it took more than 48 hours between the initial evidence of intrusion to the encryption of hundreds of computers within the target organization.

When the attackers installed several hacking tools on a computer at the target organization, the first indication of an intrusion was obvious. Ten minutes later, they began to run scripts to scan and identify other computers in the network. PsycINFO is a Microsoft Sysinternals program that allows users to collect information about computers in the network. This could have allowed them to identify the software that was installed on these computers. info could have been used to identify files with business-critical information that could be encrypted for ransom. The attackers also used the freely available hacking tool Mimikatz (Hacktool. Mimikatz) against selected computers to steal passwords.

The attackers returned to the computer two days after the initial activity and loaded the SamSam ransomware shortly after 5 a.m. Two different versions of SamSam were loaded. Two versions of SamSam were likely to have been loaded so that there was an alternate if one version was detected.

SamSam began attacking computers in the network of the company’s network an hour later. This operation was executed using PsExec (another Microsoft Sysinternals tool that is used to execute processes on other systems). Just under 250 computers were encrypted five hours later.

Persisting and powerful threat

SamSam remains a serious threat to U.S. organizations. SamSam is skilled and resourceful and can use tactics and tools that are more common in espionage attacks.

Any affected organization will be severely disrupted if a successful SamSam attack is successful. If there are no backups or encrypted backups by SamSam then valuable data may be lost forever. Even if an organization has backups, it will take time to restore affected computers and clean up the network. This can cause reputational damage.


To protect customers from SamSam attacks, the following protections have been put in place:

Symantec’s Targeted Attack Analytics (TAA), can also identify and flag “living on the land” activity related to targeted attacks like SamSam. Learn more about TAA in our white paper Targeted Attack Analytics – Using Cloud-based Artificial intelligence for Enterprise-Focused Advanced threat Protection

Best practices

One of the most important pillars in fighting ransomware infections is backing up sensitive data. Ransomware encryption backups have been reported in some cases. However, this should not replace a solid security strategy.

The ransom payment may not always be successful for victims. An attacker may not send a key or damaged files to decryption, and could also make a bigger ransom demand than the initial payment.