SamSam is the persistent gift you never really wanted.

Source: Symantec

The details: According to research from Symantec, the SamSam ransomware group is the malignant gift that keeps on giving.

Ransomware, such as SamSam and WannaCry, achieved global notoriety with a wave of attacks in 2016 and 2017. The attacks have continued well into 2018 with attacks against the city of Atlanta in March and the Colorado Department of Transportation in April of this year. The attack in Colorado was estimated to cost $1.5 million to clean up.

In 2018, Symantec has, “found evidence of attacks against 67 different organizations.” The most targeted sector has been healthcare, with 24% of total attacks this year. Fifty-six of the attacks were located in the U.S. though SamSam has been seen in Portugal, France, Australia, Ireland and Israel.

SamSam operates by infecting as many computers in a target organization as possible and then encrypting devices, files and backups until the target pays to have them unlocked.

Why it matters: SamSam attackers know what they are doing. This is not some fly-by-night operation of opportunity. SamSam and other ransomware attacks expose basic failings in security, allowing SamSam's operators to “live off the land” before striking to maximize their impact.

Unfortunately, there is often no quick fix to defend against ransomware. They take advantage of fundamental security problems and poor disaster recovery programs that take time to fix. While improved endpoint security defenses and other protections can help, they are band-aids to larger problems and do not address the root issue.

The hacker’s perspective:

Randori director of offensive security Evan “Syn” Anderson says,

“The SamSam group’s modus operandi is to gain access to an organization’s network, spend time performing reconnaissance by mapping out the network, before encrypting as many computers as possible.

For example, in one attack that took place in February 2018, more than 48 hours passed between the first evidence of intrusion and the eventual encryption of hundreds of computers in the targeted organization.

This points to the fact that organizations need to detect and mitigate compromises  in a timely manor; one of the key requirements to doing so, is a skilled defenders that have experienced defending recon type activity happening inside their organization.

Now, stop me if you have heard this one, experience is the best defense.”