Inside a SamSam Ransomware Attack

Here's how hackers use network tools and stolen identities to turn a device-level compromise into an enterprise-level takedown.

Ajit Sancheti, CEO and Co-Founder, Preempt

June 20, 2018

5 Min Read

Hospitals, municipal governments, and schools are bracing themselves, anxiously aware that they could be the next target of SamSam ransomware's ongoing campaign of destruction and extortion.

According to an updated warning issued by the US Department of Health and Human Services, a new variant of SamSam (also referred to as SamSa and Samas) has been deployed in more than eight unique cyberattacks in the United States so far in 2018. These include an industrial controls system (ICS), two hospitals, the City of Atlanta, and the Colorado Department of Transportation. Colorado DOT was attacked twice; it took six weeks, millions of dollars, and hundreds of cybersecurity specialists, including the FBI, to get the department (2,000 computers) back to 80% functionality. What would happen to organizations with fewer resources in the aftermath of a SamSam hit?

In the latest reported attack, an Indiana healthcare provider network discovered it had been compromised on May 17 and is now working with the FBI; it did not disclose whether it paid the ransom. Indeed, many public-sector victims decide it is better to concede to hacker demands immediately than to risk extended recovery time (not to mention complications). As dependency on real-time data and networked systems becomes the norm, recovery speed is critical. Ransomware exploits this vulnerability for straightforward financial gain.

SamSam and its variants, active since 2016, have evident commonalities; as more attacks are investigated, we have gained insight into their tactics. SamSam campaigns do not target the most lucrative enterprises. Instead, they extort organizations that have a near-zero tolerance for downtime: public-facing civil sector and healthcare organizations. The pressure is on when lives, physical health, critical infrastructure, and public safety are at risk. The longer it takes, the higher the stakes.

Assume Breach
While regular patching, security updates, and consistent monitoring can be effective defenses, let's assume the obvious: The perimeter will eventually be breached. SamSam attackers specialize in scanning for exploits and known vulnerabilities — public network protocols, in particular — when targeting a victim. An analysis of SamSam incidents suggests that the ransomware is "typically deployed after the threat actors have exploited known vulnerabilities on perimeter systems to gain access to a victim's network."

The hackers behind SamSam are sophisticated and appear to be learning more tricks as they go along. Their latest scheme is to spread thousands of copies of malware on a single network all at once and then demand "per computer" or "volume discount" ransom amounts to fix what they've broken.

Let's take a closer look at how ransomware attackers use network tools and stolen identities once they are inside the network to turn a device-level compromise into an enterprise-level takedown. According to the Verizon 2018 Data Breach Investigations Report, the use of stolen credentials is the No. 1 most common action attackers take during a successful breach. Privilege misuse is fourth on the list.

SamSam follows this playbook. It uses tools such as Mimikatz to steal valid user credentials and common IT management tools to move malware to new hosts. Attackers and their malware are increasingly reliant on Mimikatz and other common tools, such as PsExec — associated with everything from PoS malware to webshells — to spread through a network and do damage. Once hackers have compromised a set of privileged credentials, they use the stolen identity to access additional assets in the network. Next, attackers use legitimate administrator tools, such as PsExec or WMIexec, to remotely run code on additional machines.

Hacker Innovation
When it comes to stringing together vulnerabilities to avoid detection, prolong dwell time, and infect larger numbers of machines, hackers are innovative. For example, Remote Desktop Protocol (RDP), a standard Microsoft component, has been identified as a weak point that hackers seek because it provides an easy channel of attack. All they have to do is crack the password, and they are free to move laterally, execute malware, and encrypt data.

Likewise, hackers leverage vulnerabilities in Microsoft's credential protocol (CredSSP), along with RDP and distributed computing environment/remote procedure call (DCE/RPC) application services, in much the same way. RDP is so handy that hackers have created databases containing the location and attributes of systems running RDP and sell the records to other bad actors.

These tools are hard to blacklist, let alone control. For example, Mimikatz relies on Windows NT LAN Manager (NTLM) for techniques such as pass-the-hash. The challenge for IT teams is that, by design, virtually any Windows protocol can be downgraded to NTLM. Tools like PsExec use a remote procedure call (RPC), which is also historically difficult to control inside most enterprises.

The good news is that innovations now make it possible for organizations to directly analyze these protocols, see abnormalities, and challenge them in real time. For example, suspicious internal traffic could trigger a multifactor authentication challenge the user has to pass before access is granted. By controlling these protocols, admins can disable the skeleton key tools that attackers use to steal identity and spread to new machines. It may not be possible to prevent every infection, but it's always better to catch them early and box them in. There's no reason to make it easy for the bad guys to take down the entire organization.

SamSam relies on known vulnerabilities. To defend your organization, don't forget security basics. Make sure patching and configuration is up to date. Keep passwords strong and change them often. Limit privileged accounts and use vulnerable protocols only when necessary. Segment networks to contain damage and ease recovery.

Most importantly, focus on what's happening inside your network in real time. Monitor and control access to legitimate credentials and network tools by detecting anomalous patterns and challenging abnormal use. That will make SamSam and its variants ineffective or, at a minimum, keep them from spreading like slime mold through your network.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

About the Author(s)

Ajit Sancheti

CEO and Co-Founder, Preempt

Ajit Sancheti is CEO and co-founder of Preēmpt. He has over 20 years in IT security and executive leadership. Previously, he co-founded Mu Dynamics (acquired by Spirent Communications) and held various management roles. Before Mu Dynamics, Ajit was part of the corporate development group at Juniper Networks and an integral member of the team that developed the industry's first intrusion detection and prevention system at OneSecure (acquired by NetScreen). Prior to OneSecure, he spent seven years at Western Digital, holding various engineering and management positions. Ajit received his M.S. in Engineering from the University of Massachusetts, Amherst, and his MBA from INSEAD, France.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights