[BreachExchange] Cybercrime Gang Ramps up Ransomware Campaign

Destry Winant destry at riskbasedsecurity.com
Fri Feb 16 19:46:38 EST 2018


In the last few weeks, Gold Lowell group has collected over $350K
after infecting victims with SamSam crypto malware, researchers at
Secureworks found.

A cybercrime gang known as Gold Lowell has been using scan-and-exploit
tactics to opportunistically infect business networks with ransomware
and extort money from the victim organizations.

The group - which has been around since at least 2015 - appears to
have ramped up activity in the last few weeks in keeping with its
previous pattern of escalating attacks during the end part through the
beginning of the calendar year, Secureworks said in a report this

Between late December and mid-January alone, Gold Lowell managed to
collect at least $350,000 in extortion money after infecting victims
with a custom version of SamSam, a previously known ransomware tool.
The group's victims include healthcare organizations, IT software
providers, transportation companies, waste management firms, and
business services organizations. Many of them have been small- to
midsized organizations.

>From a malware perspective itself, SamSam is little different from the
slew of ransomware tools floating about in the wild currently. The
tactic Gold Lowell has been using to install the malware on victim
systems and networks is notable, however, notes Matthew Webster,
senior security researcher at Secureworks’ Counter Threat Unit.

"SamSam ransomware is essentially as sophisticated as it needs to be,"
Webster says. "The main contrast between other ransomware capabilities
is how it is deployed—after compromise of the victim’s systems and
account credentials."

According to Secureworks, Gold Lowell has shown a tendency to scan
Internet-facing systems for known vulnerabilities and exploits. The
group's scanning has targeted systems and protocols like JBoss and RDP
that are more likely to be used by organizations than by individuals.
Early on, the threat group regularly targeted JBoss applications using
an open source exploitation tool. In 2017, Gold Lowell began targeting
legitimate Remote Desktop Protocol (RDP) account credentials—often via
brute force attacks, Secureworks said.

Once it gains at initial foothold on a network, Gold Lowell has shown
a tendency to use both publicly available and proprietary tools and
exploits in order to escalate privileges and find the most central and
critical systems to exploit.

"[SamSam's] encryption methodology is strong and it carries out
actions that make it more difficult for recovery and investigation,"
Webster says. Measures include wiping additional space on the disk and
deleting itself, he says.

Gold Lowell typically demands a ransom of around $9,500 for decrypting
files. But based on how effective the group has been at deploying
SamSam inside breached networks, it is quite likely that some victims
are paying up a lot more, according to Webster. In one campaign during
mid-2017 that Secureworks researchers observed, the value of the
ransom for decrypting the entire network of the victim organization
was 28 bitcoins, or approximately $68,000 at the time, he says.

In at least one instance the threat actors doubled the decryption cost
after a victim's initial payment barely missed the deadline set for
it. "The doubling of the ransom really goes to highlight that once the
decision has been made to pay the ransom, then as victim you are
handing control over to the adversary," Webster says. Such incidents
highlight the importance for organizations to have a well-tested data
backup and incident response process in place, he notes.

Gold Lowell, however, generally takes steps to instill confidence that
the victim will get their data back once payment has been received. It
offers to decrypt files as a test, for instance, and advice on
purchasing bitcoin and how to set up bitcoin wallet.

"Long-term ransomware campaigns only work if the victim is confident
that they will get their data back, and the SamSam actors clearly take
steps to instill that confidence," Webster says.

More information about the BreachExchange mailing list