In over two and a half years, the SamSam ransomware has raked in nearly USD $6 million in ransom, when previously reported ransom figures stand at only USD $85,000. Some victims reported a widespread ransomware event that significantly impacted operations of some large organizations, including hospitals, schools and cities.
Medium to large public sector organisations in healthcare, education, and government have been targeted by SamSam, but the Sophos research team discovered that these only make up for about 50% of the total number of identified victims, with the rest comprising a private sector that has remained uncharacteristically quiet about the attacks. The attacker uses care in target selection and attack preparation is meticulous. SamSam waits for an opportune moment, typically launching the encryption commands in the middle of the night or the early hours of the morning of the victim’s local time zone, when most users and admins would be asleep.
Unlike most other ransomware, SamSam encrypts not only document files, images, and other personal or work data, but also configuration and data files required to run applications. Victims whose backup strategy only protects the user’s documents and files won’t be able to recover a machine without re-imaging it, first.
SamSam attacks follow a relatively predictable pattern, and usually comprise of the following six stages:
1. Target identification and acquisition
The second part of this, the acquisition, is relatively straightforward. When the attacks began, in 2016, they were known to exploit vulnerabilities in JBOSS systems to gain the privileges that would enable them to copy the ransomware into the network. Increasingly, the person or people behind the SamSam attacks find greater success gaining network access by brute-forcing Windows RDP accounts. The first part, how the attacker identifies these specific organisations, is unknown. They could be purchasing lists of vulnerable servers from other hackers on the dark web, or simply using publicly available search engines such as Shodan or Censys. Clearly, they tend to target medium- to large organisations, predominantly based in the United States.
2. Penetrating the network
In the most recent SamSam attacks, the attackers concentrated their efforts on brute forcing weak passwords on machines accessible over the internet using Remote Desktop Protocol (RDP). While some may find this shocking, a simple search on Shodan will reveal thousands of IP addresses accessible over port 3389, the default RDP port.
3. Elevating privileges
Often the attacker gains access to a domain user account via RDP, though it’s been reported that the attacker uses a mix of RDP and exploits to access the targeted networks. Once in the network, the attacker then uses a combination of hacking tools (described in the Technical Details appendix, below) and exploits to elevate their privileges to a domain admin account. This has been known, on some occasions, to take days, while the attacker waits for a domain admin to log in. The compromised machine runs Mimikatz, a credential harvesting tool, so they’re stolen the minute a domain admin logs in.
4. Scanning the network for target computers
Unlike other well-known ransomware such as WannaCry, SamSam does not spread independently. Instead, the attacker deploys the malware using legitimate Windows network administration tools such as PsExec, and the stolen credentials, as if the ransomware were a legitimate application whose deployment is being centrally managed by the victim’s own domain controller. As a manual attack, it poses no risk of spreading out of control, attracting unwanted attention. It also allows the attacker to cherry pick targets, and to know which computers have been encrypted. But first, it has to choose the targets. In order to do this, the attacker uses those stolen domain admin credentials to take control of one of the victim’s servers, which the attackers use as a command centre for managing the entire attack. From this location, the attacker deploys network scanning tools.
5. Deploying and executing the ransomware
The attacker’s preferred deployment tool is the Sysinternals PsExec application, which the attacker uses to copy files across the network. The attacker has been known to use other deployment tools in situations where PsExec is blocked. In one recent attack, they were seen switching to a similar tool called PaExec from PowerAdmin.
6. Awaiting payment
Once the attack has been launched, the only thing left for the SamSam threat actor to do is wait to see if the victim makes contact via the attacker’s dark web payment site, the details of which are provided to the victim in the ransom note. The attacker gives the victim roughly seven days to pay the ransom, although, for an additional cost, this time can be extended.
According to Peter Mackenzie, Global Malware Escalations manager at Sophos, “Most ransomware is spread in large, noisy and untargeted spam campaigns using simple techniques to infect victims and demand relatively small sums in ransom. What sets SamSam apart is that it’s a targeted attack tailored to cause maximum damage and ransom demands are measured in the tens of thousands of dollars. The attack method is surprisingly manual, and more cat burglar than smash-and-grab. As a result, the attacker can employ countermeasures to evade security tools and if interrupted can delete all trace of itself immediately, to hinder investigation.”
Mackenzie added, “SamSam is a reminder to businesses that they need to actively manage their security strategy. By deploying an in-depth approach, they can ensure their network is less visible and open to attack to avoid being the low hanging fruit the hacker is searching for. We recommend IT managers follow security best practices, including hard-to-crack passwords and rigorous patching.”
Sophos recommends the following four security measures:
· Restrict access to port 3389 (RDP) by only allowing staff who use a VPN to be able to remotely access any systems. Utilize multifactor authentication for VPN access.
· Complete regular vulnerability scans and penetration tests across the network; if you have not followed through on recent pen-testing reports, do it now.
· Activate multi-factor authentication for sensitive internal systems, even for employees on the LAN or VPN.
· Create back-ups that are offline and offsite, and develop a disaster recovery plan that covers the restoration of data and whole systems.