How the SamSam attacker stole millions from US companies

There are many reasons that the SamSam ransomware has achieved widespread notoriety: it disrupted the operations of some of its victims to a point that the attack couldn’t remain secret, the asked-for ransom amount was considerably larger that those requested by other ransomware attackers, and the malware was not delivered and deployed via the most often-used route (spam or phishing emails).

A new report by Sophos, whose researchers followed the money and tracked down a considerable number of the victims who were hit and paid the ransom, offers new insight into the attacker’s modus operandi and advice for organizations how to protect themselves against this menace.

New insights

The SamSam ransomware as well as the attacker’s approach to each attack has evolved over time.

“The consistency of language across ransom notes, payment sites, and sample files, combined with how their criminal knowledge appears to have developed over time, suggests that the attacker is an individual working alone. This belief is further supported by the attacker’s ability not to leak information and to remain anonymous, a task made more difficult when multiple people are involved,” the researchers noted.

As far as they were able to track the money, the SamSam attacker has managed to rake in nearly $6 million from victims who decided to pay the ransom.

“With an estimated 1 new victim being attacked each day, we believe that roughly 1 in 4 victims pay at least some of the ransom,” they shared. “The largest ransom paid by an individual victim, so far, is valued at US$64,000, a significantly large amount compared to most ransomware families.”

The attacker targets medium- to large public and private sector organizations. The wider public only knew about those in the public sector because those in the private sector have remained quiet about the attacks. The great majority (74%) of the confirmed victims are located in the US.

“Unlike most other ransomware, SamSam encrypts not only document files, images, and other personal or work data, but also configuration and data files required to run applications (e.g., Microsoft Office). Victims whose backup strategy only protects the user’s documents and files won’t be able to recover a machine without reimaging it, first,” the researchers added.

Also, the malware is deployed manually and usually in the middle of the night or the early hours of the morning of the victim’s local time zone, so the attack is likely to remain unnoticed for a while, giving the ransomware enough time to encrypt the targeted files.

Attacker’s modus operandi

The attacks usually unfold like this:

• The attacker chooses the victim
• Gains access to the victim’s network by brute-forcing Windows RDP accounts (in the very beginning it was via vulnerable JBoss systems)
• Uses a combination of hacking tools and exploits to elevate their privileges to a domain admin account
• Scans the network for optimal target computers
• Deploys the ransomware on those computers
• Waits for the opportune moment to launch all instances of the ransomware almost simultaneously
• Waits for the victim to make contact via the dark web payment site (that info is provided to the victim in the ransom note).

The researchers were unable to pinpoint how the attacker identifies potential targets, but it’s likely that the attacker purchases lists of vulnerable servers from other hackers on the dark web or uses publicly available search engines such as Shodan or Censys.

“While some may find this shocking, a simple search on Shodan will reveal thousands of IP addresses accessible over port 3389, the default RDP port,” they noted.

The attacker uses tools like Mimikatz, a tool to extract user credentials from memory, to achieve access to a domain admin account, NLBrute to brute-force Remote Desktop Protocol (RDP) passwords, PsExec and PaExec to launch the ransomware on remote Windows computers, and others.

Layered, in-depth defense

“The best way for organisations to protect themselves against SamSam, and many other attacks, is to reduce their threat profile, and not be an easy target in the first place. One way to accomplish this is by diligently making sure machines are as up to date as possible, and that employees use secure authentication methods, including strong passwords, and to use two-factor authentication where possible,” the researchers recommend.

“Fix the most easily-corrected mistakes as quickly as possible, such as closing whatever firewall loopholes might allow someone to reach the default Remote Desktop port of 3389 from the Internet.”

Defenders can also use third party tools like Censys or Shodan to identify publicly-accessible services and ports across their public-facing IP address space and close them. Access to port 3389 (RDP) should be restricted only to staff who use a VPN, and to specific IP addresses, ranges, or geographies.

The researchers also advise defenders to follow the principle of least privilege for accounts and to identify the relationships between different Active Directory accounts and eliminate attack paths they find.

Real time monitoring of the network and systems for anomalies is advisable, and keeping backups safe (offline and preferably offsite) is a must.

Another thing to keep in mind is that SamSam encrypts almost the entire machine: not just files, but applications, configuration files, and ancillary files that help applications run.

“If you were in this situation, you’d need to, first, reimage or reinstall a clean operating system on that machine, and its applications, before even beginning to worry about recovering the work you saved up to the time when the backup was made,” they pointed out.

“How long does it take to build a system from scratch, or reimage? If 1 computer takes an hour, do 10 computers take 10 hours? How long can your organization operate if you find 90% of your computers suddenly encrypted at the same time?”