SamSam Ransomware: Patient, Persistent, Competent and Dangerous
1.8.18 securityweek Ransomware
The SamSam ransomware has always been a bit different. Unlike many ransomware infections, its victims are targeted rather than random -- and the attacker establishes a presence on the victim network before beginning the encryption process.
Victims this year include the City of Atlanta, Allscripts, Adams Memorial Hospital, Colorado Department of Transportation and the Mississippi Valley State University. It could seem that SamSam targets health, education and government; but a new and detailed analysis of SamSam from Sophos shows this is not the case -- and its success rate is far higher than previously thought.
"Sophos have discovered that these three sectors account for fewer than half of the total number of organizations we believe have been victims of SamSam, and it's the private sector who have suffered the most (and disclosed the least)."
By following the money and tracking the Bitcoin payment wallets with help from Neutrino (a firm that specializes in tracking cryptocurrency flows), Sophos researchers have estimated that the SamSam attacker has netted more than $5.9 million dollars since version 1 (it is now at version 3) began being used in January 2016. The attacker is currently collecting an average of $300,000 per month. Sophos estimates that about 233 victims have paid a SamSam ransom.
The attacker is thought to be a single person working alone rather than a criminal or nation-state gang. He (or she) is proficient, although not perfect, in the English language; but probably comes from a country where English is not the first language. He does not boast about his exploits and has no known social media presence, where linguistic tells within has ransomware might provide clues to his identity. At this point, his identity and nationality are unknown.
Sophos researchers have tracked (PDF) the evolution of SamSam through its three versions. It shows a developer getting evermore proficient in his craft. The basic MO is to select the targets, possibly through publicly available search engines such as Shodan or Censys, to access the network, to elevate privilege and reconnoiter, and then encrypt everything he can access. The encryption itself is usually done overnight to reduce the chance of detection.
According to the researchers, version 3 usually affects entry through brute-forcing Windows RDP accounts. "While some may find this shocking," say the researchers, "a simple search on Shodan will reveal thousands of IP addresses accessible over port 3389, the default RDP port."
Once access to a domain user account is obtained, the attacker will typically use Mimikatz to harvest the credentials of the first domain admin to log on. This has been known on some occasions to take days, with the attacker simply waiting.
Armed with privileged access, the attacker starts to manually deploy the ransomware. First, he takes control of one of the victim's servers, which he uses as his command center. Then, he scans the network. If he can write a tiny text file to a computer's filesystem (called test.txt), the name of that file is added to a separate file stored on his command server and known as 'alive.txt'. "The attacker later uses this .txt file as a target list," report the researchers.
Deployment from the command server is usually done with the Sysinternals PsExec application, although the attacker has been known to switch to PowerAdmin's PaExec if the former is blocked. Once the attack is initiated, the attacker simply waits for payment.
One key element of SamSam is the extent to which stealth is used -- completely in keeping and supporting the attacker's low-profile approach to crime. "In version 3 of SamSam," say the reporters, "the general operation of the payload hasn't changed much since version 1, but the attackers have put significant efforts into creating a stealthier version of the malware."
One example of this is the order in which targeted files are encrypted -- anything smaller than 100 Mb immediately, and larger files in size order. SQL and MDF files (which are typically large and time-consuming to encrypt) are next; and finally, anything left that is not on an exclusion list. "This carefully curated approach enables the attacker to achieve a greater volume of encrypted files before the attack is spotted and interrupted."
Another example is the consistency with which the attacker deletes the files he uses one the device is encrypted, or if the attack is interrupted.
Payment is made in Bitcoin (BTC), and the attacker offers several initial options. Individual computers can be decrypted on payment of 0.8 BTC (as of July 18). Full decryption -- regardless of the number of encrypted computers -- costs 7 BTC (around $40,000 at July 18 exchange rates). Victims have 7 days to make payment; but there is at least one example of the victim being offered the option to reopen the countdown on payment of 0.5 BTC.
The bad news for victims is that there is no known way to recover SamSam encrypted files. The good news, if you can call it such, is that the attacker really does provide decryption, and even offers online support for those who have difficulties.
Sophos urges companies not to pay any ransom, but accepts the difficulties with SamSam. "Instead," say the researchers, "Sophos strongly recommends a comprehensive layered approach to security, to both avoid an initial attack, and enable system recovery through backups." However, they also note, "Securing an environment against a competent, persistent, and patient, human adversary is somewhat different from defending against the more conventional kinds of semi-automated, social engineering-driven threats more commonly seen in enterprise environments. And SamSam's own particularly damaging behavior sets it apart from many other ransomwares."