Ransomware "SamSam" attacking hospitals and industrial control systems

How to inform the Bleeping Computer, hospital in Indiana paid $55000 (4 BTC) ransom for decrypting the files after the attack ransomware SamSam. The infection took place on January 11. Unfortunately, in addition to financial losses, the attack suffered directly the patients for which scheduled operations have to be postponed.

Steve Long, CEO of the hospital saidthat the ransomware zaszyfrowało more than 1400 files and restore data may take a few days, up to one week. He added that the hospital had a copy of the backup, but its restoration is less viable from a business point of view. For this reason, the Hospital decided to pay the ransom.

Work of the hospital for a few days has been crippled:


The heads of the hospital released a detailed message about the incident. Cards with information for patients and visitors were hanged on each door and computer stations:


Ransomware SamSam spread through poorly secured the RDP port. Criminals know the connection information zautomatyzowali attack of the brute-force method and szyfrowali the following files:

, .asmx,, .3dm, .3ds,. 3 fronts, .3g2, .3GP,. 3pr, .7z, ab4, .accdb, .accde, .accdr, .ACCDT. Ah, acr,. act. adb. ads, agdl, .AI,. ait, al, apj, .ARW, .ASF, .asm, .asp, .aspx, .asx, .AVI, awg, back, backup, .BackupDB, .bak,. lua, m,. m4v,.,. .mdb, .mdf, mdc. mef,. IMF, mmw m oneywell, mos, .mov, .MP3, .MP4, .mpg, mrw, .msg, myd. nd. ndd,. nef, nk2. nop,.,.,., ns3 ns4. ns2. nsd. nsf nsg nsh,.,.,. nwb. nx2. nxl, nyf,. tif,. tlg,. txt, .vob,. wallet. war, .wav, .wmv, wb2. wpd. wps. x 11 . x3f. xis, .xla, .xlam, xlk, .xlm, xlr, .xls, .xlsb, .xlsm, .xlsx, .xltx, .xltm, xlt, .xlw, .XML,. ycbcra,. yuv,. zip,. sqlite, sqlite3.,. sqlitedb, sr2, srf,.. srt,. srw, st4 st5... st6, st7 st8... std, sti, stw... stx, .svg, .swf, sxc sxd... sxg. SXI, sxm. .sxw, tex, tga, thm, tib. .py, qba qbb... qbm. qbr. qbw qbx qby... r3d. raf, .rar, rat, raw, rdb, .RM, .RTF, rw2, rwl., .rwz file,., sas7bdat s3db. say, sd0. sda. sdf. sldm,. .sldx,. sql, .PDD, .PDF,. pef, .PEM, .pfx, .php, .PHP5, .phtml. PL, plc,. png, .pot, .potx, .potm, .ppam, .pps, .ppsx, .ppsm,,. ppt, .pptm, .pptx, .PRF, ps, .psafe3, .PSD,. pspimage .pst file .ptx, oab,. obj, .ODB, .odc, .ODF, .ODG,. odm. odp, .ODS, .ODT, oil, orf, .ost. otg. oth, otp, ots,... ott, .P12, .p7b, .p7c, .PAB,. pages,.,.,., CLL. pcd, .PCT, .PDB, gray, grey, games, .h, .hpp hbk., .htm, .html, ibank, ibd,. ibz, .idx, iif, iiq,., incpas. indd file, .jar, .Java, .jpe, .JPEG, .jpg, jsp,. kbx. kc2 Kit. kdbx. kdc key, kpdx, .doc, .docx, .docm, .dotm, .dot, .dotx, drf , .DRW, .DTD, .DWG, .DXF dxb., dxg, .eml, eps,. erbsql,. erf, exf. fdb. ffd. fff. fh. fhd .fla, .FLAC, .FLV, fmb, .FPX, fxg, .cpp,. cr2,. craw, .CRT, .CRW, .cs, csh, csl, .csv, dac, bank, bay, bdb, bgt. bik, bkf, bkp.. blend. bpw,. c. cdf. cdr, . cdr3. possibly cdr4,. cdr5,. cdr6,. cdrw, .cdx, ce1, ce2,. .cer. cfp, .CGM, cib,.,.,., cmt. cpi, ddoc. ddrw, dds, der, des, .Design,. dgc, djvu, dng.,. db-journal, .DB3, dcr, dcs, ddd,... dbf, .dbx, dc2, pbl, .mdf

Anyone know what it does, which is why in advance planned apology "Sorry for files":


A similar attack using the same pest came in April 2017. Then the victim was hospital in New York City. There the criminals demanded $44000. The hospital has refused to pay the ransom, and rebuilt it systems lasted a month.

In the year 2018 victims probably the same criminals became a few hospitals in the U.S. and, as reported by an anonymous informant — a member of the ICS (Industrial Control Systems) an unknown company.

How comes to infection?

In a variety of ways. It usually starts from the infected attachments in SPAM campaigns or using tools Exploit Kit, which they have done on the browser installed extensions and unpatched exploits. Of the attack vectors of 2018 year lists incorrectly secured RDP connection-malware after you log on to the computer, infects your system and spreads to the other. Depending on the number of infected machines the offender require 0.7 BTC to dozens of BTC for decryption of files on all machines.

Protection against ransomware SamSam boils down to ...

... all the other types of malware. And so:

  • regular backup of critical data. A good practice is to store the copies in a safe place, separate from the rest of the network;
  • implement solutions based on white list of allowed applications, where all the others will be treated as untrusted.
  • the development of network segmentation, permissions, security zones, and user identification;
  • training users in the field of cyber threats and social engineering;
  • timely deployment of software updates and systems;

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.