View All R&D Articles

SamSam Ransomware Infects CDOT

March 19, 2018

CDOT logo

SamSam ransomware has infected thousands of computers at the Colorado Department of Transportation. Over 2,000 employee computers were shut down to stop the spread of the malware after it was discovered on Feb. 21, and systems are still not back online.

Office of Information Technology chief technology officer David McCurdy released a statement shortly after the attack that said, “This ransomware virus was a variant and the state worked with its antivirus software provider to implement a fix today. The state has robust backup and security tools and has no intention of paying ransomware. Teams will continue to monitor the situation closely and will be working into the night.”

SamSam is a strain of ransomware that targeted hospitals and others throughout January.

SamSam ransomware skull-and-crossbones

An Indiana hospital, Hancock Health, paid a $55,000 ransom to restore files and functionality after SamSam infected its servers. Even though the hospital claimed to have complete backups of encrypted files, administrators chose to pay the ransom to avoid costly delays in restoring their systems.

Security researchers say that the group behind SamSam uses a brute-force attack on Remote Desktop Protocol (RDP) connections to gain access to internal networks. Then, hackers manually install the ransomware, which begins encrypting files. To protect against SamSam, researchers warn that any computers open to remote RDP connections should have strong and unique passwords.

SamSam was also the culprit behind attacks on Allscripts, Adams Memorial Hospital, Erie County Medical Center, and the city of Farmington, New Mexico. Security experts believe that these attacks were carried out by a single group of hackers.

CDOT continues with daily work the old-fashioned way.

“Our critical systems, our road operations, traffic operation systems are still online. We still have people on the road plowing and doing construction,” CDOT spokesperson Amy Ford told the Denver Post. “The things we have changed a little bit is we’ve had some business bids in the process of being done and we’ve extended times and dates. And we’re working with our contractors.”

The incident demonstrates the difficulties of recovering from a ransomware attack. Even though CDOT backed up their data, they are beginning their second week offline. Mecklenburg County, North Carolina faced a similar slog after a ransomware called LockCrypt infected county government servers. Officials spent well over a month scrambling to restore services after that incident.

Ford summarized the frustrating but manageable limbo that CDOT is currently in.

“No one is back online. What we’re doing is working offline. All our critical services are still online — cameras, variable message boards, CoTrip, alerts on traffic. They are running on separate systems,” Ford said. “The message I’m sharing is CDOT operated for a long time without computers, so we’ll use pen and paper.”