SamSam ransomware, known for its recent takedown of several high-profile targets, is a well-coded piece of malware that is backed by a group that does not mind spending time to properly set up its victims to ensure a maximum payout from each attack, resulting in about $6 million being paid so far, according to a study by SophosLabs.
SamSam has been around since 2015, but until a recent series of attacks it has not stood out among its competitors. However, all that changed after being tagged as the malware behind the well-publicized attack on the Atlanta city government, the Colorado Department of Transportation and several healthcare institutions, said Sophos Principal Threat Researcher Chet Wisniewski, who told SC Media that SamSam now should be considered a top 10 ransomware, one that is adding at least one new victim per day to its ledger.
The reason behind SamSam's success is detailed in a new report by Sophos' Naked Security.
“SamSam is quite different from regular ransomware which use a spray and pray method to find victims. Here they are looking for a vulnerability to gain entry and then spend about a day inside the victim's system setting things up,” he said.
Wisniewski described the behind-the-scenes work being done by the threat actors as more manual-labor intensive than what is usual for a ransomware gang -- particularly in how they take their time to defang a network's defenses and ensure victims cannot use its backups to help with recovery.
“It's time intensive,” Wisniewski said, but successful.
SophosLabs was able to identify about 240 SamSam victims by tracking Bitcoin addresses supplied on ransom notes and sample files and by working with the firm Neutrino. This methodology revealed the malware has generated about $5.9 million so far, although this figure could be much higher as most SamSam attacks go unreported,” he said.
SophosLabs believes 74 percent of the victims are in the United States, with other attacks hitting Canada, the UK and the Middle East. While the majority of the known victims have been government agencies or in education and healthcare, only 37 percent of the companies hit have publicly disclosed an attack. The other victims were discovered by matching bitcoin wallet transactions.
The basic attack methodology sees the SamSam attacker scanning the internet for a system with specific vulnerabilities or by using the Remote Desktop Protocol and utilizing software like NLBrute to break weak passwords (as opposed to, say, a phishing campaign).
To give the culprits time to gain access without being spotted, the attacks are timed to take place during off hours when the victims are not at their computers.
Once a target is located and the attackers are in the system, the operators turn their attention to prepping the victim for full exploitation.
The attackers use a set of tools to gain admin privileges and then scan the network for valuable targets, deploying and executing the malware as any self-respecting system admin might, using utilities such as PsExec or PaExec, the report stated. This differs from ransomware like WannaCry, which uses a worm-like function to spread itself inside a system. Because the gang running the operation only picks a few targets, it is are able to spend a great deal of time to work around any defenses that are in place. And since so much time and effort is invested in each attack, the offenders are unlikely to give up unless detected and kicked out, Sophos said.
“Once it has been spread far and wide, the many copies of the ransomware are triggered centrally, starting within seconds of each other. On each infected machine, files are encrypted in a way that's been calculated to cause the most damage in the shortest time,” the report stated.
At this point, the attackers wait to be contacted by the victim via email. Wisniewski said initial ransom payments of $20,000 had been requested, but lately, the threat actors have upped the amount to $50,000 or $60,000. So far the attackers have been honest and do release the encrypted data back to the rightful owners once payment has been received.
Even though SamSam requires a hands-on operator to be effective, Wisniewski does not believe those behind the ransomware are particularly sophisticated. He described the skill level required as the same as that of a moderately talented pen tester, and likely not the work of a nation-state actor.
“What they are doing is exactly what a good pen tester would do,” he said, adding if these people used their skills for honest work they would probably make a good living.