The ongoing SamSam ransomware campaign responsible for recently infecting the city of Atlanta, the Colorado Department of Transportation and an array of health care organizations represents an emerging operational model for malicious cryptors, according to researchers at Sophos.
“Instead of blasting out one copy of the malware out to thousands of potential victims over a day or two, the crooks blast thousands of copies of the malware onto computers inside a single organization, pretty much all at once,” the IT security company explains in an Apr. 27 blog post authored by senior technologist Paul Ducklin. “And then, almost casually, they offer a ‘volume discount’ to fix the entire company in one fell swoop.”
Forgoing conventional “spray and pray” strategies often associated with spamming campaigns, this strategy instead allows adversaries to launch pervasive and highly debilitating attacks against specific organizations exposed by vulnerabilities or weak credentials, and then charge them prohibitive sums.
In lieu of spam, the SamSam attackers exploit unknown bugs and conduct brute-force attacks against the Remote Desktop Protocol in order to gain unauthorized network access and infect victims, Sophos explains in a new technical report by threat researcher Dorka Palotay and global malware escalations manager Peter Mackenzie. Then they spread SamSam to additional connected systems by means of network mapping and credential theft, manually deploying the ransomware with tools like PSEXEC and batch (BAT) scripts.
For instance, the technical report references one SamSam sample that includes a BAT file that allows the cybercriminals to customize the ransom price in Bitcoin for each individual attack. The sample gives victims the option of paying roughly $7,200 per infected PC to decrypt them on an “a la carte” basis, or about $45,000 to “buy in bulk” and decrypt the entire organization all at once.
Bitcoin prices are constantly adjusted according to current conversion rates in order to maintain prices at these levels, states Sophos. Since switching Bitcoin wallet addresses in mid-January, this SamSam variant has received 23 payments, earning a total income of 68.1 BTC, or close to $628,000 as of Apr. 30. “Most of the victims have decided to pay the full price,” the report states.
In January 2018, Cisco Systems’ Talos research division reported on a relatively new SamSam technique whereby a loader mechanisms called runner executes and decrypts an encrypted version of the ransomware payload. Since then, Sophos has discovered an evolution in the runner component: “The interesting change in the runner component is that the decryption function, used to decrypt the payload, is no longer located inside the executable but rather in a separate DLL file,” the report stated.