The SamSam ransomware group seems to have gotten to a "great" start in 2018, hitting several high-profile targets such as hospitals, a city council, and an ICS firm.

Reported attacks include the one against the Hancock Health Hospital in of Greenfield, Indiana; Adams Memorial Hospital in Decatur, Indiana; the municipality of Farmington, New Mexico; cloud-based EHR (electronic health records) provider Allscripts; and an unnamed ICS (Industrial Control Systems) company in the US, based on intel Bleeping Computer has received.

Hancock Health officials have admitted to paying the ransom, despite having backups, while the others have not commented how they remediated the incidents.

Evidence points to active SamSam ransomware campaign

In the three public incidents, victims said the ransomware locked files and displayed a message with the word "sorry." The Farmington municipality has released a screenshot of this ransom note.

Bleeping Computer has tracked down this ransom note to recent SamSam infections. According to data provided by the ID-Ransomware service, there have been 17 submissions of SamSam-related files to the service in January alone.

The SamSam ransomware, also known as Samas, is not your stock ransomware that looks the same with every infection. SamSam is a custom strain that crooks use in targeted attacks.

The SamSam crew usually scans the Internet for computers with open RDP connections and they break into networks by brute-forcing these RDP endpoints to spread to more computers.

Ransom notes and extensions usually vary from victim to victim. Despite this, based on the screenshot shared by the Farmington city council, we can say that this particular SamSam version that uses the "0000-SORRY-FOR-FILES.html" ransom note has infected at least eight entities since December 26. Most of the victims are from the US, but a few are from Canada and India. Some victims reported files encrypted with the .weapologize extension.

SamSam ransomware ransom note

Attackers made nearly $300,000

The Bitcoin wallet address used in this ransom note received its first transaction on December 25, and in the meantime, has received more money in what appear to be subsequent ransom payments.

The account currently holds 26 Bitcoin, valued at nearly $300,000. Most likely, the gang made more victims and more money.

The current story should stand as a warning for companies running computers open to remote RDP connections. These computers should be secured with a strong and unique password in order to avoid crooks like the SamSam crew breaking into their systems.

Article updated to add Allscripts on the list of recemt SamSam targets.

Related Articles:

The Week in Ransomware - September 28th 2018 - RDP and gandCrab

GandCrab Devs Release Decryption Keys for Syrian Victims

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Windows 10 Ransomware Protection Bypassed Using DLL Injection