Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

// // //
7/31/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now

SamSam Ransomware Nears $6M Mark in Ill-Gotten Gains

For the past three years, the person or persons behind the SamSam ransomware have targeted hospitals, healthcare organizations, as well as the city of Atlanta, and have collected nearly $6 million in illicit funds, according to research from Sophos.

For the past three years, the group behind SamSam ransomware has targeted their attacks at hospitals and healthcare organizations, as well as public entities such as the city of Atlanta, and has collected nearly $6 million in illicit gains in doing so, according to new research from Sophos.

In the past seven months, the group behind SamSam has averaged about $300,000 per month in ransom, with the highest single payout topping $64,000.

These and other findings are part of a report Sophos released on Tuesday that details the methods behind this particular ransomware attack, and some of the motivations of the person or persons behind it.

Although SamSam has been associated with attacks on healthcare and hospitals, as well as public entities, Sophos researchers believe that other organizations have also been targeted, but have not been as public about the attacks. The report finds that about half the number of victims have remained silent.

SamSam Timeline\r\n(Source: Sophos)\r\n
SamSam Timeline
\r\n(Source: Sophos)\r\n

"From the victims we have identified 50% are in the private sector, with none of them going public. We do not believe this is specifically targeted against healthcare," Peter Mackenzie, the Global Malware Escalation Manager at Sophos, wrote in an email to Security Now.

What makes SamSam different than other types of well-known ransomware, such as WannaCry, is that it's carefully deployed at specific targets instead of being used in "drive-by attacks" meant to cause major disruptions. Also, the underlying software in SamSam is not based on EternalBlue exploits, but uses more conventional open source tools that have been manipulated in order to steal passwords or move the ransomware around the network. (See WannaCry: How the Notorious Worm Changed Ransomware.)

"This is not related to EternalBlue or any of the other vulnerabilities disclosed with it," Mackenzie wrote. "We believe that the majority of the malicious files were created by the attacker themselves, while also utilizing publicly available hacking tools such as Mimikatz. It is important to understand that SamSam does not spread like WannaCry (it is not a worm/virus) instead it is deployed like a legitimate application."

The July 31 Sophos report finds that a SamSam attack starts with a Remote Desktop compromise of a specific machine within the enterprise network. The attacker has also deployed exploits at vulnerable machines to perform remote code execution.

Here, Sophos finds that the group behind SamSam uses more purposeful and targeted methods to attack networks. The researchers found that attacks usually begin in the middle of the night when system admins and the security team are asleep or off-duty and not paying attention to the network.

What also makes SamSam particularly difficult to stop is that once inside the network the malware not only encrypts document files, images and other data that is essential to the running of the business, but also the platforms that run the applications, such as Microsoft Office.

Additionally, SamSam contains a hardcoded list of file extensions that target specific files. The malware will then encrypt those files before any others, which shows the group targets specific victims. Over the years, those behind SamSam have also gotten better at avoiding endpoint security.

(Source: Sophos)\r\n
(Source: Sophos)\r\n

Once the ransomware starts and the files are encrypted, the victim is directed to a "payment site" on the Dark Web, where the person or persons behind the attack demand ransom in the form of Bitcoin. The cryptocurrency is later laundered to help the attackers hide their gains.

These methods have netted about $5.9 million in Bitcoin since SamSam was first spotted in the wild in 2015, according to Sophos's calculations and research.


Zero in on the most attractive 5G NR deployment strategies, and take a look ahead to later technology developments and service innovations. Join us for the Deployment Strategies for 5G NR breakfast workshop in LA at MWCA on September 12. Register now to learn from and network with industry experts – communications service providers get in free!

In his email, Mackenzie noted that the group behind SamSam is either a single person or a very small group of attackers. It appears the group are English speakers based on ransom messages, and that about 74% of attacks have occurred in the US, although organizations in the UK, Canada and Middle East have also been targeted.

"We believe this to be one person or a small group. Due to the similarity in all the attacks, the language used on ransom notes, help files and communication with the victims. As well as the fact that they have managed to stay anonymous for 2 and a half years," Mackenzie wrote.

Reports about SamSam have surfaced on and off again for the last three years, although the ransomware was recently in the news with an attack against Atlanta, which has cost the city over $2 million so far. (See Unknown Document 734998.)

The group behind SamSam might have also targeted Baltimore's 911 system earlier this year, but Sophos could not confirm that specific attack. (See Atlanta, Baltimore Ransomware Attacks Show Government Agencies' Vulnerabilities.)

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-23485
PUBLISHED: 2022-12-10
Sentry is an error tracking and performance monitoring platform. In versions of the sentry python library prior to 22.11.0 an attacker with a known valid invite link could manipulate a cookie to allow the same invite link to be reused on multiple accounts when joining an organization. As a result an...
CVE-2022-23510
PUBLISHED: 2022-12-09
cube-js is a headless business intelligence platform. In version 0.31.23 all authenticated Cube clients could bypass SQL row-level security and run arbitrary SQL via the newly introduced /v1/sql-runner endpoint. This issue has been resolved in version 0.31.24. Users are advised to either upgrade to ...
CVE-2022-23497
PUBLISHED: 2022-12-09
FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user preferences, such configurations contain hashed passwords (brypt with cost 9, salted) of FreshRSS Web interface. If the API is used, the configuration might contain a hash...
CVE-2022-34297
PUBLISHED: 2022-12-09
Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field.
CVE-2022-45292
PUBLISHED: 2022-12-09
User invites for Funkwhale v1.2.8 do not permanently expire after being used for signup and can be used again after an account has been deleted.