SamSam ransomware made the headlines again, this time it infected over 2,000 computers at the Colorado Department of Transportation (DOT). The DOT has shut down the infected workstations and is currently working with security firm McAfee to restore the ordinary operations. Officials confirmed the ransomware requested a bitcoin payment.
“The Colorado Department of Transportation has ordered an estimated 2,000 employees to shut down their computers following a ransomware attack Wednesday morning.” wrote the CBS Denver.
The CDOT spokesperson Amy Ford said employees were instructed to turn off their computers at the start of business Wednesday after ransomware infiltrated the CDOT network. “We’re working on it right now,” added Ford.
The good news is that crucial systems at the Colorado DOT such as surveillance cameras, traffic alerts were not affected by the ransomware. David McCurdy, OIT’s Chief Technology Officer, issued the following statement:
“Early this morning state security tools detected that a ransomware virus had infected systems at the Colorado Department of Transportation. The state moved quickly to quarantine the systems to prevent further spread of the virus. OIT, FBI and other security agencies are working together to determine a root cause analysis. This ransomware virus was a variant and the state worked with its antivirus software provider to implement a fix today. The state has robust backup and security tools and has no intention of paying ransomware. Teams will continue to monitor the situation closely and will be working into the night.”
The Colorado DOT officials confirmed that the agency will not pay the ransom and it will restore data from backups.
The SamSam ransomware is an old threat, attacks were observed in 2015 and the list of victims is long, many of them belong to the healthcare industry. The attackers spread the malware by gaining access to a company’s internal networks by brute-forcing RDP connections.
Among the victims of the Samsam Ransomware there is the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington area. Crooks behind the attack on MedStar requested 45 Bitcoins (about US$18,500) for restoring the encrypted files, but the organization refused to pay the Ransom because it had a backup of the encrypted information.
In April 2016, the FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware.
Back to the present, the Samsam Ransomware made the headlines in the first days of 2018, the malicious code infected systems of some high-profile targets, including hospitals, an ICS firm, and a city council.