SamSam Ransomware Hits Colorado DOT – Shuts Down 2,000 Computers
The Colorado Department of Transportation (DOT) has shut down over 2,000 computers after systems got infected with the SamSam ransomware on Wednesday, February 21.
The agency’s IT staff is working with its antivirus provider McAfee to remediate affected workstations and safeguard other endpoints before before reintroducing PCs into its network.
DOT officials said that crucial systems were not affected, such as systems managing road surveillance cameras, traffic alerts, message boards, and others.
Colorado DOT will not pay the ransom
SamSam is the same ransomware strain that infected hospitals, city councils, and ICS firms in January. The hackers made over $300,000 from those attacks. One of the victims, an Indiana hospital agreed to pay a $55,000 ransom demand despite having backups. Hospital officials said it was easier and faster to pay the ransom than restore all its computers’ data from backups.
Colorado DOT officials said they don’t intend to follow suit by paying the ransom demand and they will restore from backups.
What is the SamSam ransomware?
The SamSam ransomware is a ransomware strain that’s been deployed by a single group. Infection occurs after attackers gain access to a company’s internal networks by brute-forcing RDP connections.
Attackers then try to gain access to as many computers on the same network as possible, on which they manually run the SamSam ransomware to encrypt files.
In the recent campaigns, SamSam operators usually asked for a 1 Bitcoin ransom and left a message of “I’m sorry” on victims’ computers.
What can you do?
- Best practice to protect a network from a brute force RDP attack is to apply strong RDP security settings, including limiting or disabling access to shared folders and clipboards from remote locations.
- An RDP brute force approach opens the attacker’s information to the targeted network, so you should parse the Windows Event Viewer and find the compromised user account and the IP address of the attacker and block that.
- If you do not have internal IT, be sure you have a strong IT provider that understands how to protect your network. Accent Consulting is currently offering a FREE network audit for a limited time. Contact us by March 15, 2018 for details.
(Only Businesses located within a 50 mile radius of Lafayette and Fort Wayne, IN with 10 or more computers are eligible for this offer.)