What Healthcare Organizations Need To Know About Samsam Attacks

November 7, 2019
Steve Fox

Ransomware is a serious threat, with SamSam attacks arguably being one of the most dangerous to healthcare organizations (HCOs) in particular. However, many professionals outside of the cybersecurity arena have never even heard the term. Read on to learn more about what HCOs and their vendors should understand about the risk associated with SamSam attacks.


In late 2015, a group of cyber attackers released the first version of their ransomware variant, SamSam (also known as SamsamCrypt and Samas), which was named after the mysterious group. In 2018, the group’s ransomware was documented as targeting 67 different global targets, with 54 of them in the United States. What originally and continues to set this ransomware apart is the clear and focused targeting.

SamSam customizes the ransom demands based on the level of effort required to attack as well as the budget of the victim. This approach strays from the randomized ransomware that cybercriminals spread via mass malware infections, simply hoping someone will pay. Instead, and with much success, SamSam determines the cost of recovery, and sets ransom commensurately, encouraging victims to pay.

Another aspect unique to SamSam is the group’s focus on HCOs, with almost a quarter of their victims in the healthcare field. They have attacked city governments; construction, insurance, and manufacturing firms; utilities; banking and finance companies; and even education and professional services organizations. But they have had great success targeting HCOs.


Although SamSam is unique, security experts agree that it is possible to protect your organization with a strong in-place incident detection and response plan. This includes:

  • Back-ups, back-ups, and more back-ups. The absolute best defense against any ransomware attack, is to proactively render it ineffective. If your organization maintains secure, timely backups of its critical data, encrypting and denying access to production systems is a useless endeavor for an attacker to undertake.
  • Work toward as quick of a detection as possible—the quicker you detect an incident, the faster and better you are able to respond.
  • Pay attention to patches. Many of SamSam’s attacks have been via patchable software vulnerabilities.
  • Watch permissions—give users only the access hey need to do their jobs; doing so prevents an attacker from gaining additional access once they’ve compromised a lower-level user account.
  • Implement multi-factor authentication to make it that much more difficult to get past your security measures.

A SamSam attack is serious with widespread impacts that affect the targeted organization as well as secondary victims, including HCOs that partner with the targeted organization. A strong security posture and clear incident detection and response plan can be your best defense in containing and recovering from this type of devastating incident.

join our email list