On March 22, 2018, computer outages began to spread throughout critical systems operated by the city of Atlanta. The city’s information security team responded swiftly to the incident, which had the tell-tale signs of a ransomware attack. The municipality not only shut out employees from their systems but also took the precaution of shutting down many city services.
Atlanta was the highest-profile victim of SamSam, a ransomware operation that has infected scores of organizations. Since SamSam’s arrival on the scene, it’s believed to have infected more than 200 other businesses and groups, including hospitals, local governments, and healthcare firms. Last fall, Symantec estimated that the SamSam hacking group has launched attacks not just in the U.S but also in France, Portugal, Ireland, Israel and Australia. It’s also proven lucrative for the perpetrators – by one estimate netting some $7 million in revenue for the cyber criminals over the last three years.
But if we examine SamSam within a larger perspective, we can view it more generally as another demonstration of the increasing propensity of cyber criminals to shift tactics to find vulnerabilities. In many cases, organizations were targeted by scanning networks searching for unguarded points of entry. The operators would then reconnoiter a victim’s infrastructure before broadly infecting any systems. Like many other operations, the ransomware attacks use system tools to carry out the initial reconnaissance, which helps attackers avoid triggering defenses that are focused on detecting malware.