The long-running SamSam ransomware campaign, active since early 2016, has apparently earned its perpetrators nearly...
$6 million in ill-gotten gains -- and the pace of the campaign is picking up.
According to Sophos' new report, titled "SamSam: The (Almost) Six Million Dollar Ransomware," the evidence shows the campaign is unlike "traditional" ransomware campaigns, which spread through phishing or other shotgun approaches that aim to maximize the number of infections. Sophos researchers found that SamSam is run by an extremely well-organized threat actor who carefully targets and hacks into victim systems directly, using conventional system administration and penetration testing tools to infect and evade detection -- in real time.
"Unlike virtually every other ransomware attack, the entire attack process is manual. No badly worded spam email with an attachment is the culprit. The attacker breaks in the old fashioned way: using tools that attempt as many logins as quickly as the Remote Desktop Protocol will permit, and exploits operating system vulnerabilities, though not as many as you'd think. SamSam usually succeeds when the victim chooses a weak, easily guessed password," the researchers wrote in their report.
Among the findings, the Sophos research team reported that while the SamSam ransomware campaign may seem to target "medium to large public sector organizations in healthcare, education, and government," they found "these only make up for about 50% of the total number of identified victims, with the rest comprising a private sector that has remained uncharacteristically quiet about the attacks."
Sophos estimated the total ransom paid, in bitcoin, at over $5.9 million. The attacker appears to target a new victim every day, with roughly one in four paying ransom.
Sophos was able to identify victims, many of whom had not publicly reported being infected with the SamSam ransomware. Working with Neutrino, a cryptocurrency tracking company based in Milan, Italy, Sophos estimated that as many as 233 victims had paid at least some ransom to the SamSam attacker. Based on this research, Sophos determined that the SamSam ransomware mostly targets companies in the United States (74%), followed by the U.K. (8%), Belgium (6%), Canada (5%) and Australia (2%).
Unusual aspects of the SamSam ransomware campaign
Chester Wisniewski, principal research scientist at Sophos, explained that SamSam is different from "traditional" ransomware in a number of ways. First, the SamSam threat actor does the work of identifying, breaching and infecting systems and networks entirely by hand.
Chester Wisniewskiprincipal research scientist, Sophos
"The forensics indicate it's not automated at all," Wisniewski said. In addition, the attacks are gaining in sophistication over time, starting with giving victims the option to ransom all systems that were encrypted for a lower fee.
The SamSam attacker has also been observed taking steps to guarantee payment from victims. Wisniewski said that the attacker is interfering with backups, starting with targeting any online backups.
"They are also booby-trapping the backup mechanisms. They are saying, 'Oh, these backups are online; we'll just delete them,' so you can't just go back to your backups easily. Now of course all of us would, in a perfect world, we all know that you should never keep your backups onli... Well, let's be honest about what happens in the real world," Wisniewski quipped.
The size of the ransom is also unusual. Wisniewski said that early ransomware actors found the "sweet spot" for ransoms on individual computers to be about $700. "Seven hundred dollars is worth your family photos; a thousand is too much," he said.
The SamSam ransom is much higher, in part because the attackers target entire networks rather than individual systems. The earliest victims faced ransoms of around $20,000 in 2016, but the amount is progressing steadily upward, with the highest payoff discovered so far by Sophos just over $64,000, paid late last year.
Who is behind SamSam?
While the creator and perpetrator of the SamSam ransomware remains unknown, the Sophos report suggests a single threat actor, rather than a group of cybercriminals, is behind the campaign. "The consistency of language across ransom notes, payment sites, and sample files, combined with how their criminal knowledge appears to have developed over time, suggests that the attacker is an individual working alone," the report states. "This belief is further supported by the attacker's ability not to leak information and to remain anonymous, a task made more difficult when multiple people are involved."
Wisniewski added the timing of SamSam activity indicates a single threat actor is responsible for the ransomware campaign; according to the report, 94% of the infections occurred during a specific 16-hour period.
The SamSam attacker, according to Wisniewski, is likely highly competent. Mapping out the approach to a typical victim, he said the attacker likely enters a network through a well-known vulnerability like the one reported in JBoss software in 2016, or through internet-facing RDP servers that can be discovered through a service like Shodan or Censys.
Once in the targeted network, Wisniewski said that the SamSam actor likely works from a script that includes scanning the network with Nmap, identifying admin accounts and analyzing the organization's Active Directory.
"That's all manual stuff. They're doing exactly what any good pen testing firm would do if they hired them," he said. "And sadly it sounds like a lot of the victims either didn't hire them or ignored their pen test report."
Defending against SamSam ransomware
While organizations should not let up on their efforts to fight phishing, Wisniewski pointed out that any organization -- not just those in healthcare, government or education -- are in the cross hairs, so every organization should be wary.
"If you think your company can fall victim to this because your externally facing systems are a little too open to the remote desktop protocol or you're still waiting 90 days to apply your patches because somehow you think that that's a good idea," Wisniewski said, "you'd better be thinking twice about it because you could be the next victim very easily even if you're not in healthcare or government because we can see that the private sector companies -- and I can't blame them -- aren't telling anybody that they've been hit."
Mark Mager, senior malware researcher at Endgame Inc., a cybersecurity company headquartered in Arlington, Va., said via email: "In order to adequately defend against ransomware such as SamSam, organizations should employ an effective endpoint protection platform across their network, minimize the number of hosts exposed to the Internet, and employ secure configurations with multifactor authentication and strong passwords for any remote access services. Maintaining schedules for regular software updates and offline critical data backups are also best practices that should be followed."
Noting that the SamSam ransomware attacks "rely on a variety of exploits and network service password brute-forcing techniques to gain initial access to victim networks, and spread automatically from there," Tod Beardsley, director of research at Rapid7, added that since SamSam has not yet been observed to use unpatched vulnerabilities to exploit networks, "the best defense against SamSam is to keep up on patch and vulnerability management, especially for internet-facing assets."