Malware, Ransomware

True crime: SamSam ransomware I am

It was one for the books – a mysterious cyberattack laying waste to systems in the city of Atlanta before moving on to a wide swath of targets, including health care companies, the Port of San Diego, the Colorado Department of Transportation.

March 22, 2018 - Workers arriving in various departments in the city of Atlanta detect “outages on various internal and customer facing applications, including some applications that customers use to pay bills or access court-related information,” according to city officials.

Hours, maybe minutes, into the Atlanta fiasco, it was clear the attack was the work of an old foe, SamSam ransomware, which had wreaked havoc on city networks from Georgia to Indiana to Colorado, as well as hospitals and other public- and private-sector enterprises, as a California port was about to find out.

September 27, 2018 - Halfway across the country the Port of San Diego suffered a cyberattack similar to the one that crippled systems and services in Atlanta. “The Port of San Diego has experienced a serious cybersecurity incident that has disrupted the agency’s information technology systems,” according to a statement at the time from the port’s CEO, Randa Coniglio. “The Port has mobilized a team of industry experts and local, regional, state and federal partners to minimize impacts and restore system functionality, with priority placed on public safety-related systems.”

What unfolded last year was a hardboiled tale of confounding cybercrime, ransom and damages paid, an international manhunt by gumshoes in the security industry and law enforcement around the world, resulting in indictments in December.

SamSam may not be the longest-surviving or most pernicious malware, but its impact on enterprise security became difficult to ignore in 2018.

A customized infection used in targeted attacks, SamSam has been used in targeted attacks going back to late 2015. While many early attacks were executed on vulnerable JBoss host servers, more recent ones focused on vulnerabilities in the Remote Desktop Protocol (RDP), Java-based web servers and file transfer protocol (FTP) servers. One of the few unifying aspects of SamSam is the use of the word “sorry” in ransom notes, URLs and infected files. But despite the online apologies, SamSam attackers have been effective and unyielding.

Between 2016 and 2018, SamSam ransomware targeted the health care and financial industries, state agencies, city governments, ICS and academia, says Danny Pickens, director of threat research for Fidelis Cybersecurity. Most targets were in the U.S., but the ransomware also hit sites in Canada, India, Portugal, France, Australia, Ireland and Israel. As of November 2018, the FBI estimated that the SamSam group had received $6 million in ransom payments to date and caused over $30 million in losses to victims.

“Since the SamSam group began their efforts in 2015, the effects of the ransomware have only escalated since and have not been shut down,” says George Wrenn, CEO and founder of CyberSaint Security. “The issue with ransomware like this is that for some organizations, the cost of the ransom is in fact less than the cost of what it would take to fix the problem.” It is advised not to give in, Wrenn says, as it gives cybercriminals more reason to continue their exploits; however, every situation is unique and the impacts of an attack are different for each organization.

Sam Curry, chief security officer for Cybereason, says that SamSam victims typically have been selectively targeted and singled out.

For instance, Atlanta was “dealt a severe blow last year and paid a ransom to hackers and then millions more to recover from the shutdown. Residents were unable to pay city bills, the judicial system was disrupted and many departments that people rely on were shut down and taken offline by this crippling attack,” Curry says.

“What is most interesting about SamSam is that hackers tend to use the ransomware strain to target specific municipalities, hospital networks and college and university networks. In a dark mirror of corporate pricing behaviors, the SamSam hackers have seemingly perfected the pay model as they are setting ransoms at amounts that many organizations decide to pay and are getting results.”

Perhaps Atlanta was the most notable SamSam attack, “but that was due to the city’s inability to detect, respond and recover,” says Adam Nichols, principal at GRIMM. “Any organization which is able to handle this type of an attack is unlikely to ever disclose they were a victim. There’s no telling what the authors learn from their failures; however, there is certainly an opportunity since this is not a completely automated attack.”

Raj Samani, chief scientist and fellow at McAfee, says the “biggest bang created by SamSam was attacking the health care sector, which had never been targeted in such a way before.” In fact, Samani maintains that certain cybercriminals have “ethics” and have condemned the authors and bad actors behind SamSam for targeting major U.S. hospitals. In the U.S. alone, in the first quarter of 2018, around eight healthcare organizations were targeted with this ransomware.

The payout

The SamSam attack on Atlanta reportedly cost the city more $7 million, according to Pravin Kothari, CEO of CipherCloud. “But, to add insult to injury, consider that the original ransom request was about $50,000,” Kothari says.

“This attack crippled many city operations, affecting not only the 8,000 city employees, but the public at large who could no longer pay their water bills or traffic fines or use the public WiFi at the airport,” says Laura Lee, executive vice president for rapid prototyping for Circadence. “It was also the attack that the victims famously didn’t pay the $55,000 in Bitcoin but instead struggled with [an] almost $17 million cost for investigation and clean up.”

Lee points out that a similar attack occurred in Colorado on the Department of Transportation, which also didn’t pay but was able to restore service quickly from backups.

Earl Carter, security
 research engineer at Cisco Talos.

The motive behind SamSam was similar to many other attacks from the past. Creatures of habit and eager to pluck the low-hanging fruit, when attackers find an attack vector like ransomware that enables them to easily make a profit, they repeatedly use that vector to maximize their profit, points out Earl Carter, security research engineer at Cisco Talos.

“With SamSam, the attackers used unpatched vulnerabilities to gain access and then ransomware to monetize that access,” Carter continues. “The attackers are constantly looking for new and more effective ways to generate revenue from their attacks, but when they find a vector that works they tend to keep using it until it is no longer effective.”

Unlike such previous malware like the Morris worm, or more recently WannaCry and NotPetya, SamSam “does not spread autonomously,” says Nichols.

“It is selectively deployed by operators, possibly the authors themselves,” Nichols adds. “This allows [the infection] to make more educated decisions based on the victim’s environment and infect many machines before taking overt actions such as encrypting files.”

Hence, for organizations whose detection capability consists of seeing the ransomware message on the screen, “there’s no way to quarantine it to a particular network segment, it’s already too late.”

The attacks sent cybersecurity sleuths on a convoluted journey, piecing together (sometimes cryptic) clues as to who the attackers might be.

While the grammatical errors were a clue that the attackers may not speak English as a first language, the attacks didn’t rely on the typical heavily badly worded spam email with an attachment, Peter MacKenzie, the global malware escalations manager working in Sophos Technical Support, told SC Media at Black Hat.

Instead, a Sophos said in a report pegged the attacks as old school, using “tools that attempt as many logins as quickly as the Remote Desktop Protocol will permit.”

Attribution, as with many threats, was difficult. MacKenzie says research indicated that SamSam was likely the work of a small group.

Attacks tended to occur after normal business hours when admin staffs are smaller and abnormal behavior can fly under the radar.

“Ever a predator, the attacker waits until late at night, when the target organization is least well equipped to deal with it, before the final blow is struck,” the Sophos report said. “A sneak attack while the target literally sleeps, SamSam encrypts a prioritized list of files and directories first, and then everything else.”

Whether or not that meant that SamSam attackers were based somewhere on Eastern Europe or Asia was unclear at the time.

What was certain, however, was that the attackers were becoming progressively savvier, showing “an increasing awareness… of operational security.” And they had bumped up ransoms dramatically. “The tempo of attacks shows no sign of slowdown,” the Sophos report said.

The actors behind SamSam thought through carefully who they would attack, as well as how, says Christiaan Beek, lead scientist and senior principal engineer at McAfee. “Where most ransomware goes for the mass attack ‘spray and pray-they-pay,’ the SamSam attacks are individual and targeted,” Beek points out. By looking for vulnerabilities or accessing victims using RDP, a remote access feature, they enter their victim’s network and spread their customized version of SamSam.

They gather credentials from the victim, use scripting and other trusted tools to spread their ransomware internally into the victim’s network, and try to stay below the radar as much as they can, according to Beek.

“The fact that the human actors behind SamSam sought out vulnerable organizations to attack resulted in a high rate of success, and their constant tweaking of their code kept it viable and effective,” says Stephen Cobb, senior security researcher at ESET. Through deliberate and on-going adjustments, aimed at exploiting the ever-changing range of vulnerabilities, SamSam attackers “had a fairly constant supply of potential victims to target,” Cobb adds.

To further complicate matters for enterprise victims, SamSam, like many malware tools, has evolved to become more successful in compromising backup data, Kothari adds.

“This raises the threat profile and makes it more likely for defenders to pay the ransom,” Kothari says. “As they add new capabilities such as artificial intelligence we expect to see a large series of successful attacks.”

Because there was hardly any direct evidence of who created SamSam, the operators seemed to have effectively covered their tracks, and the main motive for the attacks was apparently financial, pinning down the sources of this ransomware was difficult, Nichols points out. Given the effectiveness and secrecy with which the authors and attackers operated, many industry experts believed SamSam was the product of a nation-state.

And, indeed, in late 2018, the Justice Department indicted two Iranian men behind the SamSam ransomware attacks that infected the cities of Atlanta, San Diego and Newark, N.J., as well as two others who converted the ransom into Iranian riyals.

Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, “extorted victims by leaving a ransom note in the form of a file on each computer encrypted by SamSam Ransomware,” read the indictment, unsealed in late November in a U.S. District Court in New Jersey. “Each victim’s ransom note told the Victim that its files were encrypted, told the victim that it would have to pay Bitcoin to get the decryption keys.”

“The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims,” said Deputy Attorney General Rod Rosenstein said in a release.  “According to the indictment, the hackers infiltrated computer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals and countless innocent victims.”

Based on the federal indictment, the SamSam ransomware was “written in Iran by Iranians, which strikes me as entirely plausible,” Cobb says. “It is also plausible that they had help, or tacit permission, from their government. Although I am not aware of any evidence to that effect, the reality is that ransomware like SamSam is an ideal tool for countries suffering from international sanctions: it generates income and causes pain to its victims, whether or not they pay.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.