Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Ajit Sancheti
Ajit Sancheti
Connect Directly
E-Mail vvv

Inside a SamSam Ransomware Attack

Here's how hackers use network tools and stolen identities to turn a device-level compromise into an enterprise-level takedown.

Hospitals, municipal governments, and schools are bracing themselves, anxiously aware that they could be the next target of SamSam ransomware's ongoing campaign of destruction and extortion.

According to an updated warning issued by the US Department of Health and Human Services, a new variant of SamSam (also referred to as SamSa and Samas) has been deployed in more than eight unique cyberattacks in the United States so far in 2018. These include an industrial controls system (ICS), two hospitals, the City of Atlanta, and the Colorado Department of Transportation. Colorado DOT was attacked twice; it took six weeks, millions of dollars, and hundreds of cybersecurity specialists, including the FBI, to get the department (2,000 computers) back to 80% functionality. What would happen to organizations with fewer resources in the aftermath of a SamSam hit?

In the latest reported attack, an Indiana healthcare provider network discovered it had been compromised on May 17 and is now working with the FBI; it did not disclose whether it paid the ransom. Indeed, many public-sector victims decide it is better to concede to hacker demands immediately than to risk extended recovery time (not to mention complications). As dependency on real-time data and networked systems becomes the norm, recovery speed is critical. Ransomware exploits this vulnerability for straightforward financial gain.

SamSam and its variants, active since 2016, have evident commonalities; as more attacks are investigated, we have gained insight into their tactics. SamSam campaigns do not target the most lucrative enterprises. Instead, they extort organizations that have a near-zero tolerance for downtime: public-facing civil sector and healthcare organizations. The pressure is on when lives, physical health, critical infrastructure, and public safety are at risk. The longer it takes, the higher the stakes.

Assume Breach
While regular patching, security updates, and consistent monitoring can be effective defenses, let's assume the obvious: The perimeter will eventually be breached. SamSam attackers specialize in scanning for exploits and known vulnerabilities — public network protocols, in particular — when targeting a victim. An analysis of SamSam incidents suggests that the ransomware is "typically deployed after the threat actors have exploited known vulnerabilities on perimeter systems to gain access to a victim's network."

The hackers behind SamSam are sophisticated and appear to be learning more tricks as they go along. Their latest scheme is to spread thousands of copies of malware on a single network all at once and then demand "per computer" or "volume discount" ransom amounts to fix what they've broken.

Let's take a closer look at how ransomware attackers use network tools and stolen identities once they are inside the network to turn a device-level compromise into an enterprise-level takedown. According to the Verizon 2018 Data Breach Investigations Report, the use of stolen credentials is the No. 1 most common action attackers take during a successful breach. Privilege misuse is fourth on the list.

SamSam follows this playbook. It uses tools such as Mimikatz to steal valid user credentials and common IT management tools to move malware to new hosts. Attackers and their malware are increasingly reliant on Mimikatz and other common tools, such as PsExec — associated with everything from PoS malware to webshells — to spread through a network and do damage. Once hackers have compromised a set of privileged credentials, they use the stolen identity to access additional assets in the network. Next, attackers use legitimate administrator tools, such as PsExec or WMIexec, to remotely run code on additional machines.

Hacker Innovation
When it comes to stringing together vulnerabilities to avoid detection, prolong dwell time, and infect larger numbers of machines, hackers are innovative. For example, Remote Desktop Protocol (RDP), a standard Microsoft component, has been identified as a weak point that hackers seek because it provides an easy channel of attack. All they have to do is crack the password, and they are free to move laterally, execute malware, and encrypt data.

Likewise, hackers leverage vulnerabilities in Microsoft's credential protocol (CredSSP), along with RDP and distributed computing environment/remote procedure call (DCE/RPC) application services, in much the same way. RDP is so handy that hackers have created databases containing the location and attributes of systems running RDP and sell the records to other bad actors.

These tools are hard to blacklist, let alone control. For example, Mimikatz relies on Windows NT LAN Manager (NTLM) for techniques such as pass-the-hash. The challenge for IT teams is that, by design, virtually any Windows protocol can be downgraded to NTLM. Tools like PsExec use a remote procedure call (RPC), which is also historically difficult to control inside most enterprises.

The good news is that innovations now make it possible for organizations to directly analyze these protocols, see abnormalities, and challenge them in real time. For example, suspicious internal traffic could trigger a multifactor authentication challenge the user has to pass before access is granted. By controlling these protocols, admins can disable the skeleton key tools that attackers use to steal identity and spread to new machines. It may not be possible to prevent every infection, but it's always better to catch them early and box them in. There's no reason to make it easy for the bad guys to take down the entire organization.

SamSam relies on known vulnerabilities. To defend your organization, don't forget security basics. Make sure patching and configuration is up to date. Keep passwords strong and change them often. Limit privileged accounts and use vulnerable protocols only when necessary. Segment networks to contain damage and ease recovery.

Most importantly, focus on what's happening inside your network in real time. Monitor and control access to legitimate credentials and network tools by detecting anomalous patterns and challenging abnormal use. That will make SamSam and its variants ineffective or, at a minimum, keep them from spreading like slime mold through your network.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Ajit Sancheti is CEO and co-founder of Preēmpt. He has over 20 years in IT security and executive leadership. Previously, he co-founded Mu Dynamics (acquired by Spirent Communications) and held various management roles. Before Mu Dynamics, Ajit was part of the corporate ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
6/23/2018 | 6:38:20 PM
@REISEN: Indeed, you raise an important point. Sometimes, security fails, and attacks transcend into BC/DR issues. Whether natural disasters or manmade, these are things you have to plan and account for. Consequently, it's not just a security-team failure; it's an IT-administration failure.
User Rank: Ninja
6/20/2018 | 3:58:51 PM
How many of us remember those three hallowed words from 25 years ago???   And yet nobody seems to do it right.  Atlanta lost ALL DASHCAM VIDEOS, ALL OF THEM.  So ANY failure would have killed the lot, not just a ransomware attack.  Server failure, hard drive failure???    DOES anybody have an updated, TESTED, restoration plan in place???  i think not.  IT departments hate to test these as it is hard work and tough on schedules.  BFD.  It has to be tested and for the simple reason that when it is NEEDED AT 2AM ..... well, the mind does not think straight at that hour, does it???    But still crashes don't happen, rigjht???    And ransomware won't get into OUR SYSTEM right????  
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...