Security vendor Sophos has detected a very lucrative piece of ransomware it has named SamSam. It is a closely controlled attack that has earned $5.88 million. In fact, by the time you read this article, it will have exceeded $6 million.
The attacks have focused mainly on the US (74%) with the UK (8%) and Belgium (6%) the next biggest targets.
The ransomware has evolved over the last 30 months and become much harder to detect. This demonstrates more than the average sophistication from the author(s). It does not spread through spam or phishing attacks. Instead, the attackers personally attack the target looking for an insecure access. Once inside, they spread across the network.
A SamSam infection is highly effective. It targets Windows-based computers with .NET installed. It encrypts data files as well as those that are essential to the operating system. This requires a full restore of the system and the data. Recovering from an attack is extremely difficult.
Once a victim has paid up, SamSam deletes most of its files from the system, making it very hard for security companies to trace. The authors also promise that they won’t attack the same victim again.
Enterprise Times talked to Peter Mackenzie, Global Malware Escalations Manager, Sophos about the SamSam research.
Who is under attack?
According to Mackenzie: “The typical victim is a medium-to-large public-sector organisation. They are in healthcare, education and local government.” Mackenzie says we know this because of the public disclosures that have been made. This requirement to disclose could also explain why we are seeing more attacks in the US than elsewhere. Disclosure only covers 37% of the known SamSam victims identified by Sophos.
All of this raises questions as to why victims are staying silent. The attackers have made it clear that they will not attack a victim a second time and there is no evidence that they have broken this agreement. Victims could be worried about the publicity. Alternatively it could be that having paid a ransom, they don’t want to suggest to other hackers that they are an easy mark.
How does SamSam attack?
Put simply, through poor cyber hygiene. Mackenzie told us that: “The attackers look for publicly exposed Remote Desktop Protocol ports.” He also said: “It is likely they are using services such as Shodan and Censys.” Both of these search engines make it easy to find vulnerable machines that can then be targeted with an attack. Another possibility that Mackenzie suggested is that they are purchasing security credentials from the Dark Net.
Having identified potential targets, SamSam launches a brute force attack. As the number of failed password attempts rise this should set off cyber security system alarms. An alternative route is buying in RDP credentials from third parties.
Once the attacker has a bridgehead on a machine, it begins its attack on the network. It uses both commercial and open source administration and password stealing tools. Mackenzie points out that: “the goal is to gain access to domain administrator accounts either directly or through privilege escalation.” These allow it to install SamSam and other ransomware installers. It also enables the attacker to disable local software security tools or, at the least, mark some locations safe.
The attacker then enumerates the network creating a list of all machines it can access. It looks for Windows Servers in particular and attempts to take control of them. It then enumerates a wider set of targets inside the enterprise.
This attack is all carried out by the SamSam author(s) only. It is not available as Ransomware as a Service. SamSam deletes itself from the host once the attack is over. This approach means that it is hard for security vendors to obtain copies of the code.
One oddity, is the time of day that attacks are mounted. They appear to be calculated to avoid peak working time and instead hit at night.
Follow the money
The SamSam authors demand payment in Bitcoin. They include instructions on how to buy Bitcoin and the wallet into which payment has to be made. Mackenzie said that: “Sophos has identified over 246 Bitcoin addresses used by SamSam.” The attackers appear to create a new address for each victim.
Not all the Bitcoin addresses have been used. Mackenzie told us that “So far 156 have been used and 89 remain untouched.” This could be due to victims refusing to pay or because they have yet to be used. The addresses all point to just three separate Bitcoin wallets. All the addresses and wallets appear to be unique to SamSam. This implies that the attackers have no interest in any other malware at all. “Since SamSam v3 appeared in October 2017” Mackenzie said: “the attackers have used just 5 or 6 Bitcoin addresses.”
Tracking the money beyond the initial wallets is difficult. Many people don’t realise that all Bitcoin wallets do is anonymise the owner. Each wallet is public and the movement of Bitcoin in and out of wallets has allowed law enforcement to track users for some time.
In this case, Bitcoin is taken out of the wallet and tumbled. This technique launders Bitcoin through multiple mixers until the coins, now completely anonymous, are placed into a receiving wallet. So far, neither Neutrino or Sophos have been able to trace the final wallet(s).
To date, the maximum amount of money from any single victim is $64,000. The most profitable month was December 2017 when SamSam made $505,000 from just 10 paying victims. The amount of money reflects the value of Bitcoin over time. In December 2016, 19 victims paid £365,000. Christmas is a good time for SamSam.
How can you protect yourself?
Sophos has provided an extensive list of ways that SamSam can be detected and stopped. These are generally common sense and should already be in place. However, as SamSam and other malware show, there is a significant security gap between what should be in place and what is in place.
If you study the methodology, there are several points at which basic security measures can stop the SamSam attacker:
- Restricted access to port 3389 (RDP) by only allowing staff who use a VPN to be able to remotely access any systems. Utilize multi-factor authentication for VPN access
- Complete, regular vulnerability scans and penetration tests across the network; if you haven’t followed through on recent pen-testing reports, do it now
- Multi-factor authentication for sensitive internal systems, even for employees on the LAN or VPN
- Create back-ups that are offline and offsite and develop a disaster recovery plan that covers the restoration of data and whole systems
In addition to the Sophos recommendations, regular monitoring of security alerts should take place. This can be done through Security Information and Event Management (SIEM) solutions. Any unexpected increase in password failures should trigger an alert as it indicates a brute force attack.
What does this mean
Attackers are getting smarter. What is especially interesting here is that there is no evidence of the SamSam author(s) before this attack. In addition, the software is written in Microsoft .NET not Java like the majority of malware. The suggestion from Mackenzie is that SamSam has been written by somebody new to hacking. Given the care taken and the sophistication of the code, it is not fair to call them an amateur. In fact, their approach is just as professional, if not more so than many experienced hackers.
The creator(s) of SamSam are not being greedy. Just over $2 million per year might seem a lot but it is far from the levels that other malware generates. It is almost as this is about maintaining a lifestyle while staying under the radar of the authorities.