When news broke on March 22 that the City of Atlanta was grappling with a ransomware infection, it understandably made national headlines. Here was a major U.S. city being extorted by cybercriminals, its IT infrastructure devastated. Operations in five of the city’s 13 departments were seriously disrupted, which triggered far-reaching, public-facing consequences. Residents couldn’t pay water bills. Courts were unable to validate warrants. The police department and other city employees had to revert back to filing paperwork by hand. Public wi-fi at the nation’s busiest airport was down for two weeks. Years’ worth of files and correspondence were reportedly lost.
But also lost in the midst of the fallout-focused coverage was the fact that this wasn’t a typical ransomware infection. The variant used (SamSam) and the criminal group behind it (“Gold Lowell”) stand apart in significant ways, from how targets are selected to how SamSam is delivered and deployed.
As a result, many of the usual, generic tips for safeguarding against garden-variety ransomware (ex: train users not to open suspicious email attachments) don’t apply to SamSam. And basic advice on how to mitigate active infections tends to underplay it in dangerous ways, too.
The goal of this post is to shed additional light on SamSam so that organizations can gain a more accurate understanding of what they’re actually up against and prepare themselves accordingly. To start, we first need to dismiss one of the biggest misconceptions when it comes to SamSam.