SamSam ransomware payments reach nearly $6 million

Source: Tech target, 31/07/2018

New research reveals SamSam ransomware campaign has generated almost
$6 million for attacker and appears to be the work of a single hacker
who shows no sign of slowing down.
The long-running SamSam ransomware campaign, active since early 2016,
has apparently earned its perpetrators nearly $6 million in ill-gotten
gains -- and the pace of the campaign is picking up.
According to Sophos` new report, titled `SamSam: The (Almost) Six
Million Dollar Ransomware,` the evidence shows the campaign is unlike
`traditional` ransomware campaigns, which spread through phishing or
other shotgun approaches that aim to maximize the number of
infections. Sophos researchers found that SamSam is run by an
extremely well-organized threat actor who carefully targets and hacks
into victim systems directly, using conventional system administration
and penetration testing tools to infect and evade detection -- in real
time.
`Unlike virtually every other ransomware attack, the entire attack
process is manual. No badly worded spam email with an attachment is
the culprit. The attacker breaks in the old fashioned way: using tools
that attempt as many logins as quickly as the Remote Desktop Protocol
will permit, and exploits operating system vulnerabilities, though not
as many as you`d think. SamSam usually succeeds when the victim
chooses a weak, easily guessed password,` the researchers wrote in
their report.
Among the findings, the Sophos research team reported that while the
SamSam ransomware campaign may seem to target `medium to large public
sector organizations in healthcare, education, and government,` they
found `these only make up for about 50% of the total number of
identified victims, with the rest comprising a private sector that has
remained uncharacteristically quiet about the attacks.`
Sophos estimated the total ransom paid, in bitcoin, at over $5.9
million. The attacker appears to target a new victim every day, with
roughly one in four paying ransom.
Sophos was able to identify victims, many of whom had not publicly
reported being infected with the SamSam ransomware. Working with
Neutrino, a cryptocurrency tracking company based in Milan, Italy,
Sophos estimated that as many as 233 victims had paid at least some
ransom to the SamSam attacker. Based on this research, Sophos
determined that the SamSam ransomware mostly targets companies in the
United States (74%), followed by the U.K. (8%), Belgium (6%), Canada
(5%) and Australia (2%).
Unusual aspects of the SamSam ransomware campaign
Chester Wisniewski, principal research scientist at Sophos, explained
that SamSam is different from `traditional` ransomware in a number of
ways. First, the SamSam threat actor does the work of identifying,
breaching and infecting systems and networks entirely by hand.
The forensics indicate it`s not automated at all. Chester
Wisniewskiprincipal research scientist, Sophos
`The forensics indicate it`s not automated at all,` Wisniewski said.
In addition, the attacks are gaining in sophistication over time,
starting with giving victims the option to ransom all systems that
were encrypted for a lower fee.
The SamSam attacker has also been observed taking steps to guarantee
payment from victims. Wisniewski said that the attacker is interfering
with backups, starting with targeting any online backups.
`They are also booby-trapping the backup mechanisms. They are saying,
`Oh, these backups are online; we`ll just delete them,` so you can`t
just go back to your backups easily. Now of course all of us would, in
a perfect world, we all know that you should never keep your backups
onli... Well, let`s be honest about what happens in the real world,`
Wisniewski quipped.
The size of the ransom is also unusual. Wisniewski said that early
ransomware actors found the `sweet spot` for ransoms on individual
computers to be about $700. `Seven hundred dollars is worth your
family photos; a thousand is too much,` he said.
The SamSam ransom is much higher, in part because the attackers target
entire networks rather than individual systems. The earliest victims
faced ransoms of around $20,000 in 2016, but the amount is progressing
steadily upward, with the highest payoff discovered so far by Sophos
just over $64,000, paid late last year.
Who is behind SamSam?
While the creator and perpetrator of the SamSam ransomware remains
unknown, the Sophos report suggests a single threat actor, rather than
a group of cybercriminals, is behind the campaign. `The consistency of
language across ransom notes, payment sites, and sample files,
combined with how their criminal knowledge appears to have developed
over time, suggests that the attacker is an individual working alone,`
the report states. `This belief is further supported by the attacker`s
ability not to leak information and to remain anonymous, a task made
more difficult when multiple people are involved.`
Wisniewski added the timing of SamSam activity indicates a single
threat actor is responsible for the ransomware campaign; according to
the report, 94% of the infections occurred during a specific 16-hour
period.
The SamSam attacker, according to Wisniewski, is likely highly
competent. Mapping out the approach to a typical victim, he said the
attacker likely enters a network through a well-known vulnerability
like the one reported in JBoss software in 2016, or through
internet-facing RDP servers that can be discovered through a service
like Shodan or Censys.
Once in the targeted network, Wisniewski said that the SamSam actor
likely works from a script that includes scanning the network with
Nmap, identifying admin accounts and analyzing the organization`s
Active Directory.
`That`s all manual stuff. They`re doing exactly what any good pen
testing firm would do if they hired them,` he said. `And sadly it
sounds like a lot of the victims either didn`t hire them or ignored
their pen test report.`
Defending against SamSam ransomware
While organizations should not let up on their efforts to fight
phishing, Wisniewski pointed out that any organization -- not just
those in healthcare, government or education -- are in the cross
hairs, so every organization should be wary.
`If you think your company can fall victim to this because your
externally facing systems are a little too open to the remote desktop
protocol or you`re still waiting 90 days to apply your patches because
somehow you think that that`s a good idea,` Wisniewski said, `you`d
better be thinking twice about it because you could be the next victim
very easily even if you`re not in healthcare or government because we
can see that the private sector companies -- and I can`t blame them --
aren`t telling anybody that they`ve been hit.`
Mark Mager, senior malware researcher at Endgame Inc., a cybersecurity
company headquartered in Arlington, Va., said via email: `In order to
adequately defend against ransomware such as SamSam, organizations
should employ an effective endpoint protection platform across their
network, minimize the number of hosts exposed to the Internet, and
employ secure configurations with multifactor authentication and
strong passwords for any remote access services. Maintaining schedules
for regular software updates and offline critical data backups are
also best practices that should be followed.`
Noting that the SamSam ransomware attacks `rely on a variety of
exploits and network service password brute-forcing techniques to gain
initial access to victim networks, and spread automatically from
there,` Tod Beardsley, director of research at Rapid7, added that
since SamSam has not yet been observed to use unpatched
vulnerabilities to exploit networks, `the best defense against SamSam
is to keep up on patch and vulnerability management, especially for
internet-facing assets.`