Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Ajit Sancheti
Ajit Sancheti
Connect Directly
E-Mail vvv

Inside a SamSam Ransomware Attack

Here's how hackers use network tools and stolen identities to turn a device-level compromise into an enterprise-level takedown.

Hospitals, municipal governments, and schools are bracing themselves, anxiously aware that they could be the next target of SamSam ransomware's ongoing campaign of destruction and extortion.

According to an updated warning issued by the US Department of Health and Human Services, a new variant of SamSam (also referred to as SamSa and Samas) has been deployed in more than eight unique cyberattacks in the United States so far in 2018. These include an industrial controls system (ICS), two hospitals, the City of Atlanta, and the Colorado Department of Transportation. Colorado DOT was attacked twice; it took six weeks, millions of dollars, and hundreds of cybersecurity specialists, including the FBI, to get the department (2,000 computers) back to 80% functionality. What would happen to organizations with fewer resources in the aftermath of a SamSam hit?

In the latest reported attack, an Indiana healthcare provider network discovered it had been compromised on May 17 and is now working with the FBI; it did not disclose whether it paid the ransom. Indeed, many public-sector victims decide it is better to concede to hacker demands immediately than to risk extended recovery time (not to mention complications). As dependency on real-time data and networked systems becomes the norm, recovery speed is critical. Ransomware exploits this vulnerability for straightforward financial gain.

SamSam and its variants, active since 2016, have evident commonalities; as more attacks are investigated, we have gained insight into their tactics. SamSam campaigns do not target the most lucrative enterprises. Instead, they extort organizations that have a near-zero tolerance for downtime: public-facing civil sector and healthcare organizations. The pressure is on when lives, physical health, critical infrastructure, and public safety are at risk. The longer it takes, the higher the stakes.

Assume Breach
While regular patching, security updates, and consistent monitoring can be effective defenses, let's assume the obvious: The perimeter will eventually be breached. SamSam attackers specialize in scanning for exploits and known vulnerabilities — public network protocols, in particular — when targeting a victim. An analysis of SamSam incidents suggests that the ransomware is "typically deployed after the threat actors have exploited known vulnerabilities on perimeter systems to gain access to a victim's network."

The hackers behind SamSam are sophisticated and appear to be learning more tricks as they go along. Their latest scheme is to spread thousands of copies of malware on a single network all at once and then demand "per computer" or "volume discount" ransom amounts to fix what they've broken.

Let's take a closer look at how ransomware attackers use network tools and stolen identities once they are inside the network to turn a device-level compromise into an enterprise-level takedown. According to the Verizon 2018 Data Breach Investigations Report, the use of stolen credentials is the No. 1 most common action attackers take during a successful breach. Privilege misuse is fourth on the list.

SamSam follows this playbook. It uses tools such as Mimikatz to steal valid user credentials and common IT management tools to move malware to new hosts. Attackers and their malware are increasingly reliant on Mimikatz and other common tools, such as PsExec — associated with everything from PoS malware to webshells — to spread through a network and do damage. Once hackers have compromised a set of privileged credentials, they use the stolen identity to access additional assets in the network. Next, attackers use legitimate administrator tools, such as PsExec or WMIexec, to remotely run code on additional machines.

Hacker Innovation
When it comes to stringing together vulnerabilities to avoid detection, prolong dwell time, and infect larger numbers of machines, hackers are innovative. For example, Remote Desktop Protocol (RDP), a standard Microsoft component, has been identified as a weak point that hackers seek because it provides an easy channel of attack. All they have to do is crack the password, and they are free to move laterally, execute malware, and encrypt data.

Likewise, hackers leverage vulnerabilities in Microsoft's credential protocol (CredSSP), along with RDP and distributed computing environment/remote procedure call (DCE/RPC) application services, in much the same way. RDP is so handy that hackers have created databases containing the location and attributes of systems running RDP and sell the records to other bad actors.

These tools are hard to blacklist, let alone control. For example, Mimikatz relies on Windows NT LAN Manager (NTLM) for techniques such as pass-the-hash. The challenge for IT teams is that, by design, virtually any Windows protocol can be downgraded to NTLM. Tools like PsExec use a remote procedure call (RPC), which is also historically difficult to control inside most enterprises.

The good news is that innovations now make it possible for organizations to directly analyze these protocols, see abnormalities, and challenge them in real time. For example, suspicious internal traffic could trigger a multifactor authentication challenge the user has to pass before access is granted. By controlling these protocols, admins can disable the skeleton key tools that attackers use to steal identity and spread to new machines. It may not be possible to prevent every infection, but it's always better to catch them early and box them in. There's no reason to make it easy for the bad guys to take down the entire organization.

SamSam relies on known vulnerabilities. To defend your organization, don't forget security basics. Make sure patching and configuration is up to date. Keep passwords strong and change them often. Limit privileged accounts and use vulnerable protocols only when necessary. Segment networks to contain damage and ease recovery.

Most importantly, focus on what's happening inside your network in real time. Monitor and control access to legitimate credentials and network tools by detecting anomalous patterns and challenging abnormal use. That will make SamSam and its variants ineffective or, at a minimum, keep them from spreading like slime mold through your network.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Ajit Sancheti is CEO and co-founder of Preēmpt. He has over 20 years in IT security and executive leadership. Previously, he co-founded Mu Dynamics (acquired by Spirent Communications) and held various management roles. Before Mu Dynamics, Ajit was part of the corporate ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
6/23/2018 | 6:38:20 PM
@REISEN: Indeed, you raise an important point. Sometimes, security fails, and attacks transcend into BC/DR issues. Whether natural disasters or manmade, these are things you have to plan and account for. Consequently, it's not just a security-team failure; it's an IT-administration failure.
User Rank: Ninja
6/20/2018 | 3:58:51 PM
How many of us remember those three hallowed words from 25 years ago???   And yet nobody seems to do it right.  Atlanta lost ALL DASHCAM VIDEOS, ALL OF THEM.  So ANY failure would have killed the lot, not just a ransomware attack.  Server failure, hard drive failure???    DOES anybody have an updated, TESTED, restoration plan in place???  i think not.  IT departments hate to test these as it is hard work and tough on schedules.  BFD.  It has to be tested and for the simple reason that when it is NEEDED AT 2AM ..... well, the mind does not think straight at that hour, does it???    But still crashes don't happen, rigjht???    And ransomware won't get into OUR SYSTEM right????  
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
PUBLISHED: 2020-10-29
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
PUBLISHED: 2020-10-29
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
PUBLISHED: 2020-10-29
Cleartext transmission of sensitive information vulnerability in DDNS in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to eavesdrop authentication information of DNSExit via unspecified vectors.