Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

7/31/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

SamSam Ransomware Nears $6M Mark in Ill-Gotten Gains

For the past three years, the person or persons behind the SamSam ransomware have targeted hospitals, healthcare organizations, as well as the city of Atlanta, and have collected nearly $6 million in illicit funds, according to research from Sophos.

For the past three years, the group behind SamSam ransomware has targeted their attacks at hospitals and healthcare organizations, as well as public entities such as the city of Atlanta, and has collected nearly $6 million in illicit gains in doing so, according to new research from Sophos.

In the past seven months, the group behind SamSam has averaged about $300,000 per month in ransom, with the highest single payout topping $64,000.

These and other findings are part of a report Sophos released on Tuesday that details the methods behind this particular ransomware attack, and some of the motivations of the person or persons behind it.

Although SamSam has been associated with attacks on healthcare and hospitals, as well as public entities, Sophos researchers believe that other organizations have also been targeted, but have not been as public about the attacks. The report finds that about half the number of victims have remained silent.

"From the victims we have identified 50% are in the private sector, with none of them going public. We do not believe this is specifically targeted against healthcare," Peter Mackenzie, the Global Malware Escalation Manager at Sophos, wrote in an email to Security Now.

What makes SamSam different than other types of well-known ransomware, such as WannaCry, is that it's carefully deployed at specific targets instead of being used in "drive-by attacks" meant to cause major disruptions. Also, the underlying software in SamSam is not based on EternalBlue exploits, but uses more conventional open source tools that have been manipulated in order to steal passwords or move the ransomware around the network. (See WannaCry: How the Notorious Worm Changed Ransomware.)

"This is not related to EternalBlue or any of the other vulnerabilities disclosed with it," Mackenzie wrote. "We believe that the majority of the malicious files were created by the attacker themselves, while also utilizing publicly available hacking tools such as Mimikatz. It is important to understand that SamSam does not spread like WannaCry (it is not a worm/virus) instead it is deployed like a legitimate application."

The July 31 Sophos report finds that a SamSam attack starts with a Remote Desktop compromise of a specific machine within the enterprise network. The attacker has also deployed exploits at vulnerable machines to perform remote code execution.

Here, Sophos finds that the group behind SamSam uses more purposeful and targeted methods to attack networks. The researchers found that attacks usually begin in the middle of the night when system admins and the security team are asleep or off-duty and not paying attention to the network.

What also makes SamSam particularly difficult to stop is that once inside the network the malware not only encrypts document files, images and other data that is essential to the running of the business, but also the platforms that run the applications, such as Microsoft Office.

Additionally, SamSam contains a hardcoded list of file extensions that target specific files. The malware will then encrypt those files before any others, which shows the group targets specific victims. Over the years, those behind SamSam have also gotten better at avoiding endpoint security.

Once the ransomware starts and the files are encrypted, the victim is directed to a "payment site" on the Dark Web, where the person or persons behind the attack demand ransom in the form of Bitcoin. The cryptocurrency is later laundered to help the attackers hide their gains.

These methods have netted about $5.9 million in Bitcoin since SamSam was first spotted in the wild in 2015, according to Sophos's calculations and research.


Zero in on the most attractive 5G NR deployment strategies, and take a look ahead to later technology developments and service innovations. Join us for the Deployment Strategies for 5G NR breakfast workshop in LA at MWCA on September 12. Register now to learn from and network with industry experts – communications service providers get in free!

In his email, Mackenzie noted that the group behind SamSam is either a single person or a very small group of attackers. It appears the group are English speakers based on ransom messages, and that about 74% of attacks have occurred in the US, although organizations in the UK, Canada and Middle East have also been targeted.

"We believe this to be one person or a small group. Due to the similarity in all the attacks, the language used on ransom notes, help files and communication with the victims. As well as the fact that they have managed to stay anonymous for 2 and a half years," Mackenzie wrote.

Reports about SamSam have surfaced on and off again for the last three years, although the ransomware was recently in the news with an attack against Atlanta, which has cost the city over $2 million so far. (See Unknown Document 734998.)

The group behind SamSam might have also targeted Baltimore's 911 system earlier this year, but Sophos could not confirm that specific attack. (See Atlanta, Baltimore Ransomware Attacks Show Government Agencies' Vulnerabilities.)

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.