SamSam ransomware scammers extort $5.9m in payments since January 2016

Ransomware disables critical apps, as well as files, forcing victims to pay-up or reinstall

The SamSam ransomware has extorted at least $5.9 million from victims in payments since January 2016, according to an analysis by security software company Sophos (PDF).

The company estimated the payments by tracking bitcoin addresses supplied on ransom notes, with 74 per cent of the victims based in the US, with people and organisations in Canada, the UK and Belgium also affected.

Hospitals, schools and local authorities have all fallen victim to the ransomware, with the attackers proving sophisticated enough to obfuscate their methods and delete revealing evidence.

SamSam usually succeeds when the victim chooses a weak, easily guessed password

"Unlike most other ransomware, SamSam encrypts not only document files, images and other personal or work data, but also configuration and data files required to run applications," warns Sophos.

Wiping and reinstalling the operating system, while restoring the ransomed documents, images and other data from back-up, is the only way to recover without paying the ransom, although that is recommended anyway during recovery to ensure that the ransomware is completely removed.

Unlike most ransomware, which is typically propagated via phishing emails, the perpetrators behind SamSam attack organisations directly.

The attacker breaks-in in the old fashioned way: using tools that attempt as many logins as quickly as the Remote Desktop Protocol will permit, and exploits operating system vulnerabilities

"The entire attack process is manual. No badly worded spam email with an attachment is the culprit. The attacker breaks-in in the old fashioned way: using tools that attempt as many logins as quickly as the Remote Desktop Protocol will permit, and exploits operating system vulnerabilities, though not as many as you'd think. SamSam usually succeeds when the victim chooses a weak, easily guessed password," warns Sophos.

Typical attack tools of the SamSam attackers are legitimate Windows network administration tools, such as PsExec, and compromised credentials.

"This method has several benefits. As a manual attack, it poses no risk of spreading out ofcontrol, attracting unwanted attention. It also allows the attacker to cherry pick targets, and to know which computers have been encrypted.

"But first, it has to choose the targets. In order to do this, the attacker uses those stolen domain admin credentials to take control of one of the victim's servers, which the attackers use as a command centre for managing the entire attack. From this location, the attacker deploys network scanning tools," explains the report.

However, the company also notes that each wave of attack has involved a progression in sophistication and increasing awareness of "operational security" in order to evade anti-virus and other security software. Ransoms demanded have also gone up, with the attackers now making just under $300,000 per month during 2018.

"After full payment has been received, the SamSam attacker moves the cryptocurrency into a system of tumblers and mixers which attempt to launder the source of the Bitcoin through myriad micro-transactions.

"Sophos strongly suspects many attacks begin with a Remote Desktop compromise of a machine inside the network. The attacker is also known to deploy exploits at vulnerable machines to performance remote code execution."

The attacker updates the malware most days, typically working between 8pm and 11pm in his or her local time, according to the compile time for the SamSam malware samples acquired by Sophos.

The company recommends organisations implement the following four security practices as a matter of priority:

  1. Restrict access to port 3389 (RDP) by only allowing staff who use a VPN to be able to remotely access any systems. Utilise multi-factor authentication for VPN access;
  2. Conduct regular vulnerability scans and penetration tests across the network; if you haven't followed through on recent pen-testing reports, do it now;
  3. Multi-factor authentication for sensitive internal systems, even for employees on the LAN or VPN; and,
  4. Create back ups that are offline and offsite and develop a disaster recovery plan that covers the restoration of data and whole systems.