SamSam creators to date have raked in $6 million and the ransomware continues to be a thorn in the sides of organizations in both the public and private sectors.
Peter MacKenzie, global malware escalations manager working in Sophos Technical Support, told SC Media during the Black Hat 2018 show in Las Vegas that 74 percent of known victims are located in the U.S., with the largest random payout topping $64,000.
While many of the high-profile attacks have been aimed at medium-to-large public sector organisations in health care, education, and government, those still make up only about half of the attacks. The rest, MacKenzie said, have targeted private-sector organizations.
However, members of that latter group has been curiously silent about their travails. Sophos research found that 100 percent of government organizations “went public” about attacks, while in health care the report rate was 70-plus percent and in education over 80 percent, said MacKenzie. “But in the private sector, zero percent reported,” which is not prudent, particularly “considering GDPR.”
SamSam has proven to be a thorny challenge for security teams. It is atypical of ransomware attacks in that its entire attack process is manual, MacKenzie said.
And while the grammatical errors are a clue that the attackers may not speak English as a first language, the attacks don't rely on the typical badly worded spam email with an attachment.
Instead the attacks are old school, using “tools that attempt as many logins as quickly as the Remote Desktop Protocol will permit,” Sophos said in a report
Once in, attackers spread the “payload laterally across the network; a sleeper cell that lays in wait for instructions to begin encrypting,” Sophos said.
Because SamSam encrypts document files, images, and other personal or work data, as well as “configuration and data files required to run applications (e.g., Microsoft Office),” Sophos said that “victims whose backup strategy only protects the user's documents and files won't be able to recover a machine without reimaging it first.”
Attribution, as with many threats, is difficult. MacKenzie said research indicates that SamSam is likely the work of a small group.
Attacks tend to occur after normal business hours when admin staffs are smaller and abnormal behavior can fly under the radar.
“Ever a predator, the attacker waits until late at night, when the target organization is least well equipped to deal with it, before the final blow is struck,” said Sophos. “A sneak attack while the target literally sleeps, SamSam encrypts a prioritized list of files and directories first, and then everything else.”
Whether or not this means that SamSam attackers are based somewhere on Eastern Europe or Asia is unclear.
What is certain, however is that SamSam attackers are becoming progressively savvier, showing “an increasing awareness... of operational security.” And they have bumped up ransoms dramatically. “The tempo of attacks shows no sign of slowdown,” Sophos said.