SamSam: $6 million Ransomware

Uploaded on 2018-08-28 in TECHNOLOGY--Hackers, NEWS-News Analysis, GOVERNMENT-Law Enforcement, FREE TO VIEW

Extensive research by Sophos has uncovered a trove of new information on the notorious SamSam ransomware, revealing that it has affected far more victims than previously thought, and raised vastly more in ransom demands, almost $6 million.

Through original analysis, interviews and research, and by collaborating closely with industry partners and a specialist crypto-currency monitoring organisation, Sophos has uncovered new details about how the secretive and sophisticated SamSam ransomware is used, who’s been targeted, how it works and how it’s evolving.

A Different Breed of Malware

What sets SamSam apart from most other ransomware, and why detailed research about it is so important, is the way it’s used in stealthy, targeted attacks.

Most ransomware is spread in large, noisy and untargeted spam campaigns sent to thousands, or even hundreds of thousands, of people. They use simple techniques to infect victims and aim to raise money through large numbers of relatively small ransoms of perhaps a few hundred dollars each.

SamSam is very different, it’s used in targeted attacks by a skilled team or individual who breaks into a victim’s network, surveils it and then runs the malware manually. The attacks are tailored to cause maximum damage and ransom demands are measured in the tens of thousands of dollars.

Because the malware has been used so sparingly compared to other types of ransomware, details about how it works and how the attacks play out have been elusive since its first appearance in December 2015.

Although you are unlikely to be the target of a SamSam ransomware attack, attacks occur at a rate of about one per day, those who are can find the effects devastating.

New Insights

The research paper reveals a host of fresh technical insights including new details about how SamSam scans victims’ networks and builds up the list of machines it’s going to encrypt.

Perhaps most eye-catching though is new information about how it spreads: Unlike WannaCry, which exploited a software vulnerability to copy itself to new machines, SamSam is actually deployed to computers on the victim’s network in the same way, and with the same tools, as legitimate software applications.

Sophos’s investigation also sheds new light on the number of attacks, how often they occur and who has been targeted.

Based on the known victims, it’s been widely speculated until now that SamSam attacks are directed specifically at the healthcare, government and education sectors. Sophos can reveal that this is not the case.

Working with cryptocurrency monitoring organisation Neutrino, Sophos followed the money and identified many ransom payments and victims that were previously unknown.

Based on the much larger number of victims now known it seems that far from being unaffected, the private sector has actually borne the brunt of SamSam. Victims in that sector have simply been far more reluctant to come forward.

The money trail also revealed that SamSam has netted nearly $6 million in ransom payments, about six times more than the most recent best estimate.

From its new research, Sophos is also able to offer better protection and disaster recovery advice too. Thanks to an improved understanding of the way that SamSam targets files in the victim’s operating system, Sophos now recommends that backing up your business data is not enough.

To recover swiftly from a SamSam attack, organisations need more than a plan for restoring data, they need a comprehensive plan for rebuilding machines.

How Attacks Unfold

The SamSam attacker gains access to victims’ networks via RDP (Remote Desktop Protocol) by using software like nlbrute to successfully guess weak passwords.

Sophos has identified that the timing of attacks changes to reflect the victim’s time-zone. Whether the victim is on the west coast of the USA or in the UK, attacks happen at night time while the victims are asleep.

Unlike other well-known ransomware such as WannaCry or NotPetya, SamSam doesn’t have any worm-like or virus capabilities, so it can’t spread by itself. Instead, it relies on the human attacker to spread it, an attacker who can adapt their tactics according to the environment and defences they discover as they surveil the target.

By working in this way, the attacker can try over and over again to work around defences and gain the access they want. If the SamSam attacker is on your network they will likely stay on it until they succeed, unless they’re kicked off.

Having gained access to a network, the SamSam operator uses a variety of tools to escalate their privileges to the level of Domain Admin. Then they scan the network for valuable targets and deploy and execute the malware as any self-respecting sysadmin might, using utilities such as PsExec or PaExec.

Once it has been spread far and wide, the many copies of the ransomware are triggered centrally, starting within seconds of each other. On each infected machine, files are encrypted in a way that’s designed to cause the most damage in the shortest time.

Once the attack has been launched, the attacker waits to see if the victim makes contact via a Dark Web payment site referenced in the ransom note.

Ransom demands have increased over time to about $50,000, vastly more than the three figure sums typical of untargeted ransomware attacks.

What to Do?

To avoid becoming a victim, the best defence against SamSam or any other form of malware is to adopt a layered, defence in depth approach to security.

SamSam targets appear to be chosen on the basis of their vulnerability. Earlier attacks established a foothold on victims’ networks by exploiting known software vulnerabilities. More recently the attacks have begun with the brute forcing of RDP credentials.

Staying on top of your patching and maintaining good password discipline will therefore provide a formidable barrier to SamSam attacks.
That barrier can then be strengthened significantly with these simple steps:

  1. Restrict RDP access to staff connecting over a VPN.
  2. Use multi-factor authentication for VPN access and sensitive internal systems.
  3. Complete regular vulnerability scans and penetration tests.
  4. Keep backups offline and offsite.

Of course SamSam is just one of millions of cyber-threats and this detailed examination of SamSam is just part of the constant, ongoing malware research undertaken by Sophos to improve and adapt its ability to protect against all forms of malware.

Naked Security:

You Might Also Read: 

13 Ways Cyber Criminals Spread Malware:

Malware – The Hateful Eight:

 

 

« Digital Resilience Is A Step Up From Cybersecurity
Facebook Fakers Get Better At Covering Tracks »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Montash

Montash

Montash is an award winning, global technology recruitment business, specialising in the acquisitions of high-performing talent across a number of core disciplines including Information Security.

Onapsis

Onapsis

Onapsis is a pioneer in cybersecurity and compliance solutions for cloud and on-premise ERP and business-critical applications.

MKD-CIRT

MKD-CIRT

MKD-CIRT is the national Computer Incident Response Team for Macedonia.

Conscia

Conscia

Conscia provides IT infrastructure solutions and 24/7 services in network, data center, security and mobility.

Sensible Vision

Sensible Vision

SensibleVision helps organizations transparently protect data and prevent costly security breaches by constantly verifying the identities of people who use computers or mobile devices.

QA

QA

QA is a leading IT training provider in the UK with over 1,500 courses covering all areas of IT including Cyber Security.

Naval Dome

Naval Dome

Naval Dome provides the first maritime multilayer cyber defense solution for mission critical onboard systems.

Lirex

Lirex

Lirex offer consulting and outsourcing services, complete design, construction and maintenance of ICT solutions and systems including cybersecurity.

Matrix42

Matrix42

Matrix42 software for digital workspace experience manages devices, applications, processes and services simple, secure and compliant.

Knowledge Transfer Network (KTN)

Knowledge Transfer Network (KTN)

KTN links new ideas and opportunities with expertise, markets and finance through our network of businesses, universities, funders and investors.

Liquid Intelligent Technologies

Liquid Intelligent Technologies

Liquid Intelligent Technologies is a leading communications solutions provider across Africa, providing reliable connectivity, hosting, co-location, and digital services including cyber security.

NAK Consulting Services

NAK Consulting Services

NAK is helping organisations to create Secure, Agile IT Environments. Our goal is to be the trusted advisor and managed service partner for our clients.

Detego Global

Detego Global

Detego Global are the creators of the Detego® Unified Digital Forensics Platform, a suite of modular tools used globally by military, law enforcement and intelligence agencies, and enterprises.

McAfee

McAfee

McAfee is a worldwide leader in online protection. We’re focused on protecting people, not devices. Our solutions adapt to our customers’ needs and empower them to confidently experience life online.

Ostrich Cyber-Risk

Ostrich Cyber-Risk

Ostrich Cyber-Risk is a risk management company that helps organizations reduce the complexity of identifying financial and operational risks related to your cybersecurity posture.

Avrem Technologies

Avrem Technologies

Avrem Technologies is a business IT and cybersecurity consulting firm. We design, implement, manage and monitor the networks, servers, computers and software that our clients rely on each day.