kaptn - Fotolia

SamSam ransomware campaigns continue to target U.S. in 2018

News roundup: SamSam ransomware targeted 67 organizations in 2018, according to research. Plus, Equifax is sending its breach victims to Experian for credit monitoring, and more.

SamSam ransomware has remained active, targeting 67 different organizations in 2018 alone.

According to research from Symantec Corp., the group behind the SamSam ransomware, Ransom.SamSam, has continued its nefarious activities, primarily in the United States. The threat group targets a variety of sectors, but the highest concentration was in healthcare, with 24% of the attacks.

"Why healthcare was a particular focus remains unknown. The attackers may believe that healthcare organizations are easier to infect," wrote Symantec's Security Response Attack Investigation Team in a blog post. "Or they may believe that these organizations are more likely to pay the ransom."

Symantec also said that the group targeted local government organizations in the U.S., at least one of which administers elections.

"With the midterm elections in the U.S. taking place on November 6, the focus is naturally on cyber information operations and threats to voting data integrity," Symantec's team wrote. "However, ransomware campaigns such as SamSam can also be significantly disruptive to government organizations and their operations."

The security company also found that 56 out of 67 of the 2018 SamSam ransomware targets were located in the U.S. The rest were in Portugal, France, Australia, Ireland and Israel.

SamSam ransomware attacks are highly targeted. The threat actor group behind the ransomware hacks into victim systems directly using living off the land techniques. That is, it uses legitimate system administrator and penetration testing tools to infiltrate the network without detection, and does so in real time.

"The SamSam group's modus operandi is to gain access to an organization's network, spend time performing reconnaissance by mapping out the network, before encrypting as many computers as possible and presenting the organization with a single ransom demand," Symantec's researchers wrote.

In July 2018, Sophos researchers reported that the SamSam ransomware campaign -- which has been active since 2016 -- had earned nearly $6 million in ransom money, which was paid in bitcoin. The Sophos researchers found that about one in every four targets pays the ransom.

SamSam ransomware is known to have been used in an attack on the Colorado Department of Transportation earlier this year, costing the department $1.5 million, and is also suspected to be behind the attack on the city of Atlanta in March 2018, which shut down several of the city's departments.

"SamSam continues to pose a grave threat to organizations in the U.S.," Symantec said. "The group is skilled and resourceful, capable of using tactics and tools more commonly seen in espionage attacks."

In other news

  • Last year, after its massive data breach, Equifax offered free credit monitoring services to all affected customers for a year. According to a report from cybersecurity journalist Brian Krebs, Equifax plans to extend that offer through its competitor, Experian. To make this happen, Equifax will share customer data with its competing credit bureau, including the name, address, birthdate, Social Security number, phone number and email address for anyone who signed up for the original free credit monitoring service through TrustedID. Equifax said Experian will only use that information to confirm the identity of all TrustedID customers whether or not they opt out of the offering from Experian. The Equifax data breach of 2017 exposed the personal information of over 145 million consumers. Experian itself is not unmarred, having suffered its own data breach in 2013.
  • Cybersecurity company Carbon Black released a report that found millions of U.S. voter records up for sale on the dark web. The Carbon Black researchers found the voter databases of 20 different states up for sale on the dark web, and noted that several of the states are swing states. The information for sale includes voter IDs, full names, current and previous addresses, genders, phone numbers and citizenship statuses. With this information, potential malicious purchasers of the information could create targeted campaign advertisements and potentially influence how individuals vote. According to the report, the seller has a total of 81,534,624 voter records. The largest caches of records are from New York with 15 million voter records for sale, and from Florida with 12.5 million records for sale.
  • Google added new security features for user accounts this week. The new security feature is part of the user login process since most users still have not enabled two-factor authentication. When a username and password are entered on the sign-in page, Google will run a risk assessment to see if there's anything suspicious about the login attempt. If the risk assessment doesn't find anything amiss, the login will be successful. Part of the fine print is that the risk assessment uses JavaScript, so in order to log in to a Google page the user must have JavaScript enabled in their browser. Google said in a blog post that only about 0.1% of its users have JavaScript disabled anyway, but there have been security issues with JavaScript for years.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing