SamSam ransomware has apparently earned its perpetrators almost $6 million, and the campaign's pace is picking...
up. Sophos researchers believed that SamSam is the work of a single person using manual techniques. What are the advantages of using a manual attack process instead of phishing?
Operational security is hard, and enterprises are acutely aware of that. While attackers may not understand the importance of operational security until they are visited by law enforcement, one potential way for an attacker to improve operational security is to draw as little attention as possible to their activities to minimize the chances of being detected.
One way to do this is by not attacking indiscriminately and using a manual attack process as part of a targeted attack, including living off the land.
Two Iranians were indicted in November for SamSam attacks on over 200 victims, lending credence to the conjecture that a small group is behind the SamSam ransomware campaign.
The threat actors behind the SamSam ransomware seem to use publicly available data from Shodan or Censys to identify victims, and they appear to understand the advantages of using a manual attack process instead of phishing. The manual attack process enables threat actors to take additional steps to make their attacks successful.
A manual attack also enables the attacker to adapt to the security controls in an environment, so if brute-forcing a weak password doesn't work, an exploit for an unpatched vulnerability can be used to gain access. Once access is gained, attackers can take specific steps to make it more difficult to investigate the attack, such as removing the evidence of the intrusion by deleting logs. The attackers have even been reported to attempt to disrupt or delete backups in order to increase the likelihood of the victim paying the ransom.
Given the myriad ways that data can be backed up, it may be very difficult to automate that step effectively. Because a good backup is the most important step for recovery from ransomware, taking the extra step of disrupting backups could improve the effectiveness of an attack.
While all of these advantages don't necessarily mean that an attacker is unstoppable, it may make it difficult for an enterprise to stop a targeted attack.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
The hacking group Magecart was recently found to have run a card skimming campaign that put customer information at risk. Learn how this attack ... Continue Reading
A new version of GandCrab was discovered by researchers in July 2018 and involves the use of legacy systems. Learn how this version differs and who ... Continue Reading
The ad-blocking vendor AdGuard found browser extensions and apps from Big Star Labs collecting browser history data. Discover how this was ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.