Email — either through spam or spear-phishing — is one of the most popular ways attackers spread ransomware. That means stopping it can be helped by employee awareness training. However, a new report warns infosec pros the person or persons behind the strain known as SamSam prefer a hands-on attack.
“Unlike virtually every other ransomware attack, the entire attack process is manual,” says the report issued this morning by Sophos about SamSam, also known by other researchers as SamSa and Samas. “No badly-worded spam email with an attachment … The attacker breaks in the old fashioned way: using tools that attempt
as many logins as quickly as the Remote Desktop Protocol (RDP) will permit, and exploits operating system vulnerabilities, though not as many as you’d think. SamSam usually succeeds when the victim chooses a weak, easily-guessed password.”
In an earlier report Sophos said SamSam was the ransomware that earlier this year crippled the city of Atlanta, which is still trying to recover. According to a Reuters report last month the city was told last month that more than a third of its 424 software programs were been thrown offline or partially disabled in the attack. Nearly 30 percent of the affected applications are considered “mission critical,” including police and courts. The estimated cost of recovery is well over US$10 million.
The SamSam attacker “uses care in target selection and attack preparation is meticulous,” says the Sophos report. Once in, a payload is spread laterally across the network to as many machines as possible. Among the tools used is Mimicatz for harvesting credentials. Typically encryption commands are launched in the middle of the night or the early hours of the morning of the victim’s local time zone, when most users and admins would be asleep. Targets for encryption are a prioritized list of files and directories first — including application configuration files — and then everything else.
Since first being seen in late 2015, Sophos estimates the ransomware has pulled in more than US$5.9 million. While 74 per cent of the known victims are based in the United States, others who have been hit live in Canada, the U.K. and the Middle East.
When the attacks began in 2016, they often exploited vulnerabilities in JBOSS systems to gain the privileges that would enable them to copy the ransomware into the network, the report says. However, increasingly, the person or people behind the SamSam attacks are brute-forcing vulnerable Windows RDP accounts in large to medium-sized organizations. These could be found by purchasing lists of vulnerable servers on the dark web, the report speculates, or by doing a search with Shodan or Censys for devices using port 3389, the default RDP port.
After taking over one machine the attacker escalates privileges to get admin control over as many machines as possible, then spreads the ransomware using legitimate
Windows network administration tools such as PsExec or PAExec and the stolen credentials.
Infosec pros aren’t completely defenceless. The attacker appears to have a stockpile of malware payloads, so if a sample is stopped by antivirus, the attacker can
quickly switch to a newer sample and continue to press the attack.
SamSam is now on version 3, which includes a new layer of complexity that makes analysis more difficult by splitting the functions of the ransomware into two files. The attacker, when deploying the ransomware, manually provides a password as an argument to one component known as “the runner”, named after the file “runner2.exe”. This runner includes a decryptor for the now separate, and encrypted, payload. Over time, the file suffix for this payload has changed, most recently to “.sophos.”
The report includes a detailed analysis of the deployment tools and encryption used.
This is not the only report on SamSam. In April the Healthcare Cybersecurity and Communications Integration Center of the U.S. Health and Human Services department also issued an analysis.
Infosec pros should note that those behind SamSam often pick targets that hold sensitive information and may be willing to pay the ransom, such as governments, health care providers and universities. However, Sophos notes that the private sector has been hit more often — it’s just that healthcare, government and education sector victims are (so far) more likely to admit to stakeholder’s they’ve been victimized. That may change as more jurisdictions consider passing mandatory data breach disclosure laws.
Every SamSam attack shows a progression in sophistication and an increasing awareness by the the person/persons behind it, notes Sophos. “The cost victims are charged in ransom has increased dramatically, and the tempo of attacks shows no sign of slowdown.”
What to do? To prevent infection Sophos says rigorously following best practices for patching systems and network management, including restricting the administrative privileges of critical systems to as small a number of accounts as possible, and closing possible loopholes, like RDP ports open to the outside world is a start. Real-time network and event monitoring will help.
“The only sure way to protect a system from this degree of ransomware attack is to keep those backups offline, unconnected to the Internet, and preferably offsite or at least in a secure, locked storage. A response and recovery plan for an advanced attack such as SamSam will more closely resemble a plan to deal with a fire in
your datacentre, or a major natural disaster.”