The cyber kidnappers behind SamSam ransomware attacks in Atlanta and Colorado earlier this year have hit nearly 70 organizations in the last 10 months, by security provider Symantec’s count.
Of the 67 organizations exploited during 2018, 56 were located in the U.S., the cybersecurity provider said in a blog post. The remainder occurred in Australia, France, Israel and Portugal.
There’s no telling how much the attacks have cost the victims to recover or the gross amount some may have paid to retrieve their data. And, it’s not clear how many organizations have elected to engage or bargain with the cyber extortionists. Some of what’s known is that clean up costs for the attacks on the city of Atlanta last March have run to $17 million, while hits on the Colorado transportation department have amounted to about $1.5 million.
Vertical Market Target: Healthcare Ransomware Attacks
With most of the attacks taking place in the U.S., healthcare outfits and local governments have emerged as particular favorites of the hackers, Symantec wrote. About 24 percent of the cyber crooks’ attacks have been aimed at healthcare facilities in 2018, although why the group has picked on that segment to that degree is unknown. Perhaps the hackers believe that healthcare organizations are more likely to meet their ransom demands, Symantec said.
One of the extortionists’ government targets reportedly is involved in the elections process. “With the midterm elections in the U.S. taking place on November 6, the focus is naturally on cyber information operations and threats to voting data integrity,” Symantec wrote. “However, ransomware campaigns such as SamSam can also be significantly disruptive to government organizations and their operations.”
A favorite tactic of the SamSam group is to conduct a reconnaissance mission after they’ve gained access to an organization’s network and sometime later -- it may be hours or days -- encrypt as many systems as possible ahead of making a ransom demand. Symantec pointed to one attack in particular last February in which the attackers waited two days once inside the victim’s network before encrypting of hundreds of computers.
“By making their activity appear like legitimate processes, they hope to hide in plain sight,” the security provider said.
While backing up data is still the best way to protect users from ransomware infections, backups have been encrypted. And, paying the ransom isn’t a guarantee the crook will return hijacked data. “Attackers may not send a decryption key, could poorly implement the decryption process and damage files, and may deliver a larger ransom demand after receiving the initial payment,” Symantec wrote.