Breach, Content, Ransomware

Colorado DOT Suffers SamSam Ransomware Attack, Shuts Down 2K Computers

Colorado Department of Transportation (CDOT) employee computers temporarily were shut down due to a SamSam ransomware virus cyberattack.

SamSam hackers hijacked CDOT computer files and demanded payment in bitcoin for their safe return Wednesday, according to The Denver Post. CDOT deactivated more than 2,000 employee computers following the cyberattack, and security officials launched an investigation into the incident.

CDOT employee computers running Windows and equipped with McAfee security software were impacted by the ransomware attack, the Denver Post reported. Meanwhile, CDOT employees remained offline Thursday, CDOT spokesperson Amy Ford said.

The Colorado Governor's Office of Information Technology (OIT) is investigating the cyberattack, the Denver Post indicated. It also has reached out to the FBI for assistance and has no plans to pay the ransom, OIT spokesperson Brandi Simmons stated.

What Is SamSam?

With SamSam, cybercriminals typically identify potential victims by scanning the internet for computers with exposed Windows Remote Desktop (RDP) connections, according to endpoint security solutions provider Barkly. SamSam often enables cybercriminals to gain access to RDP servers via weak or stolen credentials.

To date, cybercriminals have used SamSam ransomware cyberattacks to collect at least $325,000 in ransom, Barkly indicated. SamSam also has been linked to a series of high-profile malware infections.

In addition to the CDOT SamSam cyberattack, Indiana-based health system Hancock Health last month paid SamSam hackers a bitcoin ransom of about $55,000 to unlock its network, Healthcare Informatics reported. To launch this attack, SamSam hackers compromised a third-party vendor's administrative account to the hospital's remote-access portal.

The SamSam infection targeted over 1,400 Hancock Health files and changed the name of each to "I'm sorry," Healthcare IT News stated. Hancock Health officials were given seven days to pay the ransom, and the hackers released the compromised files after they received payment.

Tips to Stop SamSam Cyberattacks

Securing RDP is paramount to stop SamSam ransomware cyberattacks, according to Barkly. Some of the best ways for MSSPs to help organizations prevent RDP infections include:

  • Encourage end users to set up strong passwords. Passwords that include a combination of letters, numbers and special characters are ideal.
  • Keep software up to date. Run the latest version of RDP; automatic updates can be set up to ensure RDP is updated regularly.
  • Leverage network-level authentication. Configure RDP servers for multiple levels of network-level authentication.

Providing endpoint protection services also can help MSSPs safeguard organizations against SamSam and other cyber threats. With these services, MSSPs can defend an organization's endpoints and stop cyberattacks before they penetrate an organization's networks and systems.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.