Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

7/31/2018
09:35 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

SamSam Ransomware Nears $6M Mark in Ill-Gotten Gains

For the past three years, the person or persons behind the SamSam ransomware have targeted hospitals, healthcare organizations, as well as the city of Atlanta, and have collected nearly $6 million in illicit funds, according to research from Sophos.

For the past three years, the group behind SamSam ransomware has targeted their attacks at hospitals and healthcare organizations, as well as public entities such as the city of Atlanta, and has collected nearly $6 million in illicit gains in doing so, according to new research from Sophos.

In the past seven months, the group behind SamSam has averaged about $300,000 per month in ransom, with the highest single payout topping $64,000.

These and other findings are part of a report Sophos released on Tuesday that details the methods behind this particular ransomware attack, and some of the motivations of the person or persons behind it.

Although SamSam has been associated with attacks on healthcare and hospitals, as well as public entities, Sophos researchers believe that other organizations have also been targeted, but have not been as public about the attacks. The report finds that about half the number of victims have remained silent.

SamSam Timeline\r\n(Source: Sophos)\r\n
SamSam Timeline
\r\n(Source: Sophos)\r\n

"From the victims we have identified 50% are in the private sector, with none of them going public. We do not believe this is specifically targeted against healthcare," Peter Mackenzie, the Global Malware Escalation Manager at Sophos, wrote in an email to Security Now.

What makes SamSam different than other types of well-known ransomware, such as WannaCry, is that it's carefully deployed at specific targets instead of being used in "drive-by attacks" meant to cause major disruptions. Also, the underlying software in SamSam is not based on EternalBlue exploits, but uses more conventional open source tools that have been manipulated in order to steal passwords or move the ransomware around the network. (See WannaCry: How the Notorious Worm Changed Ransomware.)

"This is not related to EternalBlue or any of the other vulnerabilities disclosed with it," Mackenzie wrote. "We believe that the majority of the malicious files were created by the attacker themselves, while also utilizing publicly available hacking tools such as Mimikatz. It is important to understand that SamSam does not spread like WannaCry (it is not a worm/virus) instead it is deployed like a legitimate application."

The July 31 Sophos report finds that a SamSam attack starts with a Remote Desktop compromise of a specific machine within the enterprise network. The attacker has also deployed exploits at vulnerable machines to perform remote code execution.

Here, Sophos finds that the group behind SamSam uses more purposeful and targeted methods to attack networks. The researchers found that attacks usually begin in the middle of the night when system admins and the security team are asleep or off-duty and not paying attention to the network.

What also makes SamSam particularly difficult to stop is that once inside the network the malware not only encrypts document files, images and other data that is essential to the running of the business, but also the platforms that run the applications, such as Microsoft Office.

Additionally, SamSam contains a hardcoded list of file extensions that target specific files. The malware will then encrypt those files before any others, which shows the group targets specific victims. Over the years, those behind SamSam have also gotten better at avoiding endpoint security.

(Source: Sophos)\r\n
(Source: Sophos)\r\n

Once the ransomware starts and the files are encrypted, the victim is directed to a "payment site" on the Dark Web, where the person or persons behind the attack demand ransom in the form of Bitcoin. The cryptocurrency is later laundered to help the attackers hide their gains.

These methods have netted about $5.9 million in Bitcoin since SamSam was first spotted in the wild in 2015, according to Sophos's calculations and research.


Zero in on the most attractive 5G NR deployment strategies, and take a look ahead to later technology developments and service innovations. Join us for the Deployment Strategies for 5G NR breakfast workshop in LA at MWCA on September 12. Register now to learn from and network with industry experts – communications service providers get in free!

In his email, Mackenzie noted that the group behind SamSam is either a single person or a very small group of attackers. It appears the group are English speakers based on ransom messages, and that about 74% of attacks have occurred in the US, although organizations in the UK, Canada and Middle East have also been targeted.

"We believe this to be one person or a small group. Due to the similarity in all the attacks, the language used on ransom notes, help files and communication with the victims. As well as the fact that they have managed to stay anonymous for 2 and a half years," Mackenzie wrote.

Reports about SamSam have surfaced on and off again for the last three years, although the ransomware was recently in the news with an attack against Atlanta, which has cost the city over $2 million so far. (See Unknown Document 734998.)

The group behind SamSam might have also targeted Baltimore's 911 system earlier this year, but Sophos could not confirm that specific attack. (See Atlanta, Baltimore Ransomware Attacks Show Government Agencies' Vulnerabilities.)

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32813
PUBLISHED: 2021-08-03
Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however...
CVE-2020-19303
PUBLISHED: 2021-08-03
An arbitrary file upload vulnerability in /fileupload.php of hdcms 5.7 allows attackers to execute arbitrary code via a crafted file.
CVE-2020-19304
PUBLISHED: 2021-08-03
An issue in /admin/index.php?n=system&c=filept&a=doGetFileList of Metinfo v7.0.0 allows attackers to perform a directory traversal and access sensitive information.
CVE-2020-19305
PUBLISHED: 2021-08-03
An issue in /app/system/column/admin/index.class.php of Metinfo v7.0.0 causes the indeximg parameter to be deleted when the column is deleted, allowing attackers to escalate privileges.
CVE-2021-33335
PUBLISHED: 2021-08-03
Privilege escalation vulnerability in Liferay Portal 7.0.3 through 7.3.4, and Liferay DXP 7.1 before fix pack 20, and 7.2 before fix pack 9 allows remote authenticated users with permission to update/edit users to take over a company administrator user account by editing the company administrator us...