SAMSAM Ransomware Hits Colorado’s Department of Transportation

On the morning of February 21, the Colorado Department of Transportation (CDOT) was hit by a variant of the SAMSAM ransomware that encrypted files, locked 2,000 of the agency’s computers, and demanded a ransom to be paid in bitcoin. Fortunately, the ransomware only affected employee machines (which were taken offline); its critical services, which includes cameras, message boards, and CoTrip traffic alert and travel information notification systems, continued to operate as they were on separate systems.

Brandi Simmons, spokeswoman for CDOT’s Office of Information Technology, said that they already called in the Federal Bureau of Investigation for assistance and immediately launched a probe into the cyberattack. “No payments have been made or will be made. We are still investigating to see whether or not files were damaged or recovered,” Simmons told The Denver Post.

[From TrendLabs Security Intelligence Blog: The Rise of SAMSAM Ransomware]

David McCurdy, chief technology officer of Colorado’s Governor’s Office of Information Technology, said in a statement, “This ransomware virus was a variant and the state worked with its antivirus software provider to implement a fix today. The state has robust backup and security tools and has no intention of paying ransomware. Teams will continue to monitor the situation closely and will be working into the night.”

SAMSAM previously made headlines this January when it struck Indiana-based Hancock Health, forcing its management to pay four bitcoins (worth US$55,000 at the time) to decrypt and unlock the affected computers, and maintain operations.

[READ: Best Practices Against Ransomware]

SAMSAM or SAMAS (detected by Trend Micro as RANSOM_SAMAS) earned notoriety back in April 2016 when it struck healthcare and education sectors in the U.S.  In May 2017, SAMSAM took the computers of New York’s Erie County Medical Center hostage and demanded a $44,000 ransom that the hospital refused to pay. In late August last year, SAMSAM resurfaced with a feature that allowed its operators to check the scope of infection. The ransom can range from 1.7 bitcoins for a single infected machine to 12 bitcoins if more systems are infected.

These SAMSAM variants used an open-source penetration testing tool that exploits vulnerabilities in WildFly (formerly JBoss) application servers to sneak in to the network. The ransomware would then laterally move and propagate into systems connected to it. SAMSAM propagation isn’t unique: Other families such as Petya, Crysis, HDDCryptor, and Erebus Linux ransomware are also known to target servers.

[READ: 2017’s most notable ransomware families]

As demonstrated by WannaCry and Petya, ransomware can reel a business’ bottom line, operations, and reputation. The San Francisco Municipal Transportation Agency, for instance, whose systems were scrambled by HDDCryptor, had to open the train turnstiles and offer passengers free rides to avoid disruption. In 2016, ransomware cost victims $1 billion in losses.

And while ransomware may already be plateauing in the threat landscape, it’s still expected to stay. Here are some best practices for defending against server-side ransomware like SAMSAM:

  • Regularly back up files and ensure their integrity and availability.
  • Keep the operating system, servers, networks, and endpoints patched to deter attacks that exploit security gaps; consider virtual patching for end-of-life/legacy systems.
  • Disable or restrict and secure the use of system administration tools that may be abused.
  • Set up security mechanisms at all levels of the organization’s online infrastructure: data categorization, network segmentation, application control/whitelisting, and behavior monitoring help mitigate further exposure and thwart suspicious files and anomalous activities within the system from being carried out.
  • Enable the firewall, sandbox, as well as intrusion detection and prevention systems.
  • Develop stronger detection and incident response strategies that will proactively protect the organization’s infrastructure from threats that constantly evolve, like SAMSAM.

Trend Micro Solutions

Enterprises can benefit from a multilayered approach to best mitigate the risks brought by ransomware such as SAMSAM. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high-fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro™ Deep Security™ stops ransomware from reaching enterprise servers — whether physical, virtual or in the cloud. 

Trend Micro™ Deep Security™, Vulnerability Protection, and TippingPoint provide virtual patching that protects endpoints from threats that exploit unpatched vulnerabilities to deliver ransomware.

Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent ransomware from ever reaching end users. Trend Micro’s Cloud App Security (CAS) can help enhance the security of Office 365 apps and other cloud services by using cutting-edge sandbox malware analysis for ransomware and other advanced threats.

These solutions are powered by Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.