Ransomware Campaign Impacts Hospitals, a Municipality, and an ICS Company

The NJCCIC is aware of a ransomware campaign that has already impacted two hospitals, one municipality, and an ICS company within the US. According to multiple open-source reports, the perpetrator(s) behind this campaign are targeting victims with a new version of MSIL/Samas.A/Samsam ransomware (hereafter referred to as SamSam). This version of SamSam appends .weapologize to the names of encrypted files and drops a ransom note named 0000-SORRY-FOR-FILES.html on infected systems. When SamSam ransomware first emerged, campaigns would target vulnerable servers running outdated versions of JBoss using JexBoss, an open-source JBoss testing/exploitation tool. However, one Bleeping Computer article suggests that the perpetrator(s) behind this campaign may now be distributing SamSam via Remote Desktop Protocol (RDP) compromise. This article also reports that the online ransomware identification service, ID Ransomware, has received at least 17 submissions of SamSam-related files so far in January 2018, suggesting this campaign is currently and actively targeting victims.

Known victims of this campaign include Hancock Health Hospital in Greenfield, Indiana, Adams Memorial Hospital in Decatur, Indiana, and the city of Farmington in New Mexico.

Example of SamSam ransom note. Image source – Bleeping Computer:

Threat

Ransomware is a type of malicious software (malware) that attempts to extort money from victims by restricting access to a computer system or files. The most prevalent form of this profit-motivated malware is crypto-ransomware, which encrypts files into encoded messages that can only be decrypted (decoded) with a key held by the malicious actor. Common ransomware distribution methods include malware-laden attachments or malicious URLs delivered via phishing campaigns, malicious advertising (malvertising) campaigns, and Remote Desktop Protocol (RDP) compromise.

To learn more about this threat, please visit the NJCCIC Ransomware Threat Profile. To help protect your data, systems, and network from ransomware, please download our PDF titled Ransomware: Risk Mitigation Strategies. The NJCCIC would like to remind members that the best way to ensure the integrity and availability of data before, during, and after a ransomware attack is by implementing a comprehensive data backup and recovery plan that includes regularly testing backups, storing them off the network, and keeping them in a secure location. Additionally, keep all systems and software updated to the latest vendor-supported patch levels to mitigate against the exploitation of known vulnerabilities.

We also recommend members review the NJCCIC Threat Analysis titled Remote Access: Open Ports Create Targets of Opportunity, Undue Risk and take proactive steps to reduce their exposure to network compromise as a result of insecure remote access configurations.

Reporting

The NJCCIC is not currently aware of any organization within the State of New Jersey that has been impacted by this version of SamSam ransomware. However, we recommend all members maintain and spread awareness of this threat as this campaign could quickly expand to targets in other states and other ransomware campaigns are likely to emerge. If you are targeted by this or another ransomware campaign, please report the incident to your local police department and the FBI, either directly to their local field office or through their website at www.ic3.gov. You may also report it to the NJCCIC via the Cyber Incident Report form on our website.