After the failing to score $18k from shutting down hospitals and endangering lives, the makers of the Samsam ransomware have decided brute force is best.
Going back to basics, they’ve begun scanning for open ports on people’s servers, and conducting forced password cracking attacks. Once they’ve smashed through, they drop their infamous Samsam ransomware—an extortion software—on the system, and wait for payment.
And when they hit the Bingham County government servers in Idaho with their brute force attack, it may as well have been “Bingo” County.
Keeping in line with their “threatening lives” policy, the makers of Samsam struck the county’s 911 emergency systems, shutting down the infrastructure needed to send ambulances, police and firefighters to people literally in mortal peril.
How The Bingham Server Crack Went Down
On February 15, employees for Bingham Country, Idaho, started work… only to find they were locked out of some systems. Specifically, the servers dealing with emergency 911 calls, the county dispatch center, and the county website.
And so, they called their own IT emergency responders at 4am. On checking out the systems, it didn’t take long to figure out ransomware had encrypted them, making computer access impossible. Of course, the ransom note was a dead give-away.
In every folder, there was a link that directed them to the note. It’s contents were an announcement: all files had been encryped with RSA-2048 encryption.
The only way to recover it was with a private decryption key. And the key was not cheap. 28 Bitcoins, or at the time, roughly $28,000.
At the beginning, staff were forced to use their cellphones and physical maps to direct officers to emergencies. Emergency 911 calls went through to the system, but were not recorded by the computer tracking logs.
The situation then worsened as at least one backup server became infected with the virus, and the whole county was forced to go offline.
“Every department in the county is affected in some way,” the Bingham County Commissioner Whitney Manwaring said at the time of the incident. “Phone systems, computer systems, everything. Some departments are handwriting documents.”
“We had all kinds of firewalls in place to prevent these kinds of things from happening.”
The hackers were originally able to get through an individual computer by hacking passwords, according to one of the County’s IT contractors, Adam Michaelson.
“They were scanning a range of IP addresses, poking at each one looking for a open port,” Mr Michaelson said. “Once they found an open port, they used a program to brute force login in passwords.”
Once in, the hackers penetratrated an individual server dedicated to the county assessor, clerk and treasurer offices, and went to work deploying the ransomware.
Who Are The Attackers?
The perpetrators have been identified as the makers of Samsam, a ransomware that was used to attack hospitals with unpatched JBoss Servers. We reported on their attacks in June 2016, when they held 10 U.S. Hospitals to ransom.
Fortunately, due to the quick thinking of the IT Staff, they were able to detect and shut down most of their network operations. And due to having uncompromised backups on hand, they were able to restore the three main clinical systems and protect the lives of their admitted patients.
So, Did The County Pay?
Yes and no. As expected, the County officials tried to avoid it. They were feeling understandably confident, since they had multiple backup systems in place. And this mostly worked, as they were able to recover almost all their data from their backups. Almost.
Three servers weren’t recoverable from their backup, and at least one of their backup servers had been infected with ransomware. And so, without any other options, they paid $3,500 of the $28,000 demand to get the decryption keys for those servers.
But the damage had already been done. The cost of repair after the fact was almost $100k, even though the ransomers only saw $8k of it. And the IT team estimated it could take until 2018 for their services to completely return to normal.
One of the Bingham County IT contractors said they “basically had to completely rebuild” their servers.
“The removing of the encryption will take days to complete due to the massive amount of information affected,” they said.
Government organizations are increasingly becoming targets of ransomware attacks. Approximately 10 per cent of all ransomware attacks are aimed at public sector organizations, according to a study cited by Govtech.com.
In the end, the county carried cyber insurance through the county’s insurance company, Idaho Counties Risk Management, which reportedly mitigated most of the cost of the ransom. However, the company required a deductible of $1,000 for such a situation.
Thousands of radio transmissions, and hundreds of calls and police reports had to be logged manually back into the system once it was back up.
Why Didn’t Their Backups Work?
It’s true that backups are the first and most effective defense against ransomware. However, there are a number of reasons restoring from backup can fail.
Unmonitored and Failed backups: The value of running a test restore of your backup cannot be overstated. In cases like this, it can be a $100,000 mistake. As soon as you do a backup, try to restore some data from it as a test. Remember the rule of Shrodinger’s Backup – “The condition of any backup is unknown until a restore is attempted.”
The Local, Accessible Drive was Encrypted: This is a reason we suggest airgapping at least one of your backups (Read our Airgap Guide here). If you can remotely access your backups, it means that ransomware can as well.
The Backups were Too Far Apart: If you don’t run regular backups, that means you’re going to lose all the data between your last backup and the disaster event. To migitate this risk, work out your Recovery Point Objective (RPO). Your RPO is the minutes or hours of data you can afford to lose before it impacts your business. Make sure your backup schedule achieves your RPO, so you’re never at risk of losing more than that amount of data.
The Lessons To Be Learned
There’s quite a lot of them, all of which will keep your own servers safe.
1. Find your open ports and services on your network, and close them.
2. Don’t give users Admin accounts.
3. Employ runtime malware defense to slow attacks as they happen.
5. Make sure one of your backup media is air gapped.
6. Perform test restores. Remember Schrodinger’s backup!
8. Make sure your IT staff and users are properly trained to deal with ransomware events and phishing.
Looking for Backup and Disaster Recovery Software?
If you’re not using a Windows OS, read our guide on the best backup and recovery software for your OS to help you out.