Multiple Dutch companies infected with SamSam ransomware: report

A few dozen Dutch companies have been infected with ransomware SamSam, according to security company Fox-IT. A precise number can not be given because it is unknown how many companies paid the ransom or managed to get rid of the malware themselves, NOS reports.

SamSam uses a configuration error in a company's IT to gain access to its server. If the server is directly connected to the internet and has a weak password, that is relatively easy, according to Fox-IT. The hackers then dive deeper into the systems looking for more administration rights. Ransomware blocks access to an affected computer until the owner pays a ransom. 

"They get to know the company in that way. Look at the name and google it", Frank Groenewegen of Fox-IT said to NOS. "They know what kind of people work there and determine on the basis of all that knowledge how much ransom they can demand. What is feasible." According to ANP, ransoms vary from a few thousand euros to tens of thousands of euros, and must be paid in bitcoin.

SamSam has been active world wide for around 18 months and seems to target schools, hospitals and universities. Known cases from the past include a hospital in Los Angeles and the municipality of Atlanta. But according to Groenewegen, the ransomware isn't specifically targeting public facilities. "In the Netherlands it is the other way around: most government organizations don't link the servers directly to the internet. The SamSam makers are looking for companies that are not in order."

The American authorities believe that Iran is behind this ransomware. An American prosecutor indicted two Iranians last week, according to the broadcaster. 

Tags: