SamSam ransomware reaps $5.9m and counting

SamSam ransomware has cost victim organisations about $5.9m to date, but only 37% of victims have gone public, according to a report by security firm Sophos.

Top targets of SamSam – also known as Samas – have included medium to large public-sector organisations in healthcare, education and government, as well as large private-sector organisations where operations have been affected significantly.

Sophos has been conducting a long-term investigation of the SamSam ransomware campaign since soon after it emerged in December 2015 to understand the nature of this “relatively unique” threat.

So far, most attacks have been in the US (74%), followed by the UK (8%), Canada (5%), Belgium (6%), Australia (2%) and the Netherlands, Denmark, Estonia, the United Arab Emirates and India, with 1% each.

Although all known government organisation victims have gone public about attacks, the figure drops to 79% in the healthcare industry and to 38% in the education sector.

“We believe there may be hundreds more victims who have made no public statement, but we don’t know who they are,” said Sophos researchers, adding that many victims found they could not recover sufficiently or quickly enough to ensure business continuity on their own, and reluctantly paid ransoms of up to $64,000 each, based on analysis of ransom payments to the bitcoin wallets tracked.

Payment is made by victims in bitcoin via a custom “payment site” on the dark web that has a unique address for each victim organisation. The payment site allows the SamSam attacker to interact directly with victims, who use a message board-like interface to communicate, the researchers said.

The attack method is surprisingly manual, the researchers found. As a result, the attacker can employ countermeasures if needed, and is surprisingly adept at evading many security tools, they said.

If the process of encrypting data is interrupted, the malware comprehensively deletes all trace of itself immediately, to hinder investigation.

SamSam is a particularly thorough encryption tool, the researchers said, rendering not only work data files unusable, but also the configuration and data files required to run applications, most of which are not routinely backed up.

As a result, recovery may require reimaging and/or reinstalling software, as well as restoring backups.

The attackers are very good at covering their tracks, the researchers said, and appear to be growing increasingly paranoid or experienced, gradually adding more security features into the tools and websites used, as well as taking great care to obfuscate methods and delete any evidence that could be useful to investigators.

Every subsequent attack shows a progression in sophistication and an increasing awareness of how to evade operational security, the researchers said, adding that the amount of ransom demanded is also increasing and the tempo of attacks shows no sign of slowing down.

The Sophos investigation has revealed that many SamSam attacks begin with a remote desktop compromise of a machine inside the network. The attacker is also known to deploy exploits at vulnerable machines to perform remote code execution.

The attacker maintains a presence on the compromised machine while scanning the internal network and uses conventional open source and commercial tools normally used for systems administration or penetration testing to steal passwords, move ransomware installers to domain administrator machines, and push the ransomware to connected workstations.

Unlike many ransomware attacks, SamSam attacks do not originate in a conventional malicious spam or drive-by download attack. Each attack is a manual break-in of a targeted network, the researchers said.

After full payment has been received, the SamSam attacker moves the cryptocurrency into a system of tumblers and mixers that attempt to launder the source of the bitcoin through multiple micro-transactions.

Sophos researchers said that although there is “no silver bullet”, an active and layered security model is the best practice and there are several points at which basic security measures can stop SamSam. Organisation are therefore advised to:

1. Restrict access to port 3389 used by the remote desktop protocol (RDP) by allowing only staff who use a virtual private network (VPN) to be able to remotely access any systems.
2. Complete regular vulnerability scans and penetration tests across the network.
3. Deploy multi-factor authentication (MVA) for sensitive internal systems.
4. Create backups that are offline and offsite and develop a disaster recovery plan that covers the restoration of data and whole systems.
5. Carry out rigorous and diligent software security updates.
6. Implement server-specific security with lockdown capabilities and anti-exploit protection.
7. Implement endpoint and server security with credential theft protection.
8. Improve password policies to encourage employees to use secure password managers, longer passphrases and the non-reuse of passwords for multiple accounts.
9. Carry out regular assessments using third-party tools such as Censys or Shodan, to identify and close publicly accessible services and ports across an organisation’s public-facing IP address space.
10. Carry out regular phishing tests and staff education.