View All R&D Articles

SamSam Ransomware Infection And Decryption Services

April 11, 2018

SamSam ransomware (also known as Samas, SamSamCrypt, and MSIL) is a quickly evolving type of malware that targets hospitals, municipalities, and other large organizations. After installing malicious software through compromised servers, the hackers encrypt network files, making them unusable, and demand a ransom.

If SamSam has infected your computer or network, turn off computer(s), disconnect all media, and call at 1-800-237-4200. Our ransomware experts will assess your situation and offer a plan to restore your files and remove SamSam.

What is SamSam Ransomware (And How Does It Work)?

SamSam is a type of crypto-ransomware, which means the malware encrypts files in such a way that only the attacker can decrypt them. If a victim doesn’t pay the ransom or have current backups, recovery from SamSam is extremely difficult. Hospitals and city governments have found that a SamSam attack cripples the organization’s ability to function normally, leading some to pay the ransom.

Notable Targets of SamSam Ransomware Include:

In addition to these high-profile targets, there have been other unspecified victims. A 2016 FBI alert referred to multiple “attacks on healthcare facilities” without mentioning specific names. More recently, an unnamed Industrial Control Systems (ICS) company was hit by the ransomware.

How Does SamSam Ransomware Infect My System?

Unlike the majority of ransomware, SamSam does not spread through spam emails or malicious links. Instead, the distributors target vulnerable servers using brute-forced credentials or by exploiting outdated software. After gaining access, the hackers harvest other credentials and use Remote Desktop Protocol to manually spread SamSam through a network.

The attackers wait a number of days before executing the ransomware payload, making it harder for organizations to discover the initial breach. This can allow the hackers to reinfect a system if the organization attempts to recover without paying the ransom, as happened with the Colorado Department of Transportation. After sufficient time has passed, the hackers run batch scripts which begin running the ransomware. Once SamSam has encrypted files, it drops a ransom note with the payment demand, which varies by incident.

Can I Disable or Remove SamSam Ransomware Encryption?

Removing SamSam and decrypting affected files is difficult. As such, it is critical to prevent the ransomware from infecting systems with the following best practices:

  • Update all software promptly (businesses should use a centralized patch management system to detect vulnerabilities).
  • Limit the number of attempts to correctly enter passwords for systems.
  • Regularly back up data while maintaining redundant copies — SamSam can spread to network-based backups before it begins encrypting files, which makes recovery from an attack more difficult when only one backup exists.
  • Use the principle of least privilege to mitigate damage done by ransomware.

If your systems have been infected by SamSam, can help. We’ll assess your situation and start you down the road to recovery as soon as you call or start a case with us.

As with all data recovery situations, time is an important factor. If ransomware has infected your computer or network, call 1-800-237-4200 to speak to a malware expert. We’ll go over your options and help determine the best way to recover from a SamSam attack.