After more than 6 months of work trying to comprehensive look at the SamSam ransomware, its peculiar attack method, and its sky-high ransom demands, SophosLab researchers have released their report on the malware.
A post published on the firm’s blog states thus: “It strikes in the dead of night, timing the moment when it begins to encrypt every hard drive it can reach to when the fewest IT administrators or SOC staff are likely to be on duty. Victims find few, if any, traces of the infection, other than a ransom note that demands payments exceeding $60,000 in Bitcoin, and links to a Dark Web customer support chat system that gives the victim an opportunity to trade text messages with the attacker…When SamSam appeared at the end of 2015, ransomware had really hit its stride, with a widely distributed variant of CryptoWall and new ransomware-as-a-service business models appearing. But this ransomware was different.”
It further adds: “For one thing, SamSam’s attack vector set it immediately apart from other ransomware. The person, or people, behind the attack employ a combination of old fashioned brute force attacks and exploits aimed at taking control of a single machine on the network of a targeted victim, before eventually taking control of a domain administrator machine. No malicious spam email or exploit kits delivered SamSam’s payload. The attacker pushes it out to every workstation on a LAN domain and executes it simultaneously.”
The post, done by Andrew Brandt, Sophos’ Principal Researcher for Sophos, specializing in security analytics and the forensic, retrospective analysis of malware infections and cyberattacks, notes that SamSam “seems designed to maximize its own likelihood of success.”
“A multi-tiered priority system ensures that the ransomware encrypts the most valuable data first, but eventually it also encrypts everything else that isn’t in a very short list of Windows system-related files. Communication and payment involve Tor and Bitcoin for security and untraceability. The attacker personally launches the attacks using a combination of free, open source, and commercial network administrator tools,” states Brandt in the article published on July 31.
The SamSam attacker actively evades security controls throughout the attack, deploying custom-compiled malware payloads and shutting down security measures as needed. It has been a particularly pernicious and heinous ransomware campaign, attacking hospitals, schools, municipal government, and even a homeless charity.
Many of the victims, by Sophos analysis, have never publicly disclosed or acknowledged that an attack has even taken place, even though the Bitcoin transaction record irrefutably shows that a victim has paid the ransom, and each bitcoin address used by the SamSam attacker is unique to its victim organization.
The SamSam attacker has taken in nearly $6 million in ransom revenue since the malware appeared on the scene about 32 months ago, demanding a premium ransom in order to sell the victims a key that will decrypt every affected machine on the network. About one in four victims, according to Sophos, have paid the ransom rather than try to recover from backups with new victims being discovered almost every week.
The newly-released report, SamSam: The (Almost) Six Million Dollar Malware, is the result of more than 6 months’ work by a team of SophosLabs malware analysts, reverse engineers, and Sophos senior support staff.