The Colorado Department of Transportation (DOT) has shut down over 2,000 computers after some systems got infected with the SamSam ransomware on Wednesday, February 21. The agency’s IT staff is working with its antivirus provider McAfee to remediate affected workstations and safeguard other endpoints before reintroducing PCs into its network. In a rare sign of transparency, officials revealed the name of the ransomware —SamSam. This is the same ransomware strain that infected hospitals, city councils, and ICS firms in January. The hackers made over $300,000 from those attacks. One of the victims, an Indiana hospital agreed to pay a $55,000 ransom demand despite having backups. Hospital officials said it was easier and faster to pay the ransom than restore all its computers’ data from backups. DOT officials said they don’t intend to follow suit by paying the ransom demand and they will restore from backups. Andy Norton, Director of Threat Intelligence at Lastline commented below.
Andy Norton, Director of Threat Intelligence at Lastline:
“Government bodies will have some level of requirement to publicly disclose situations effecting the provision of public services. CDOT’s decision to not to pay the ransom is not directly related to the public notification. What is interesting is the targeting in use by the SamSam authors, who must be one of the most successful ransom gangs out there, with 30+ bitcoins to their name. Choosing government critical services and attempting to propagate across many systems, whilst offering a single key to decrypt all infected machines at 3 bitcoins, is clearly a sweet spot and evidently often the easier option for infected organisations. If the infection had impacted critical services of CDOT, we may of seen a different response from them.”