[BreachExchange] New SamSam ransomware campaign aims at targets across the US

Destry Winant destry at riskbasedsecurity.com
Tue Oct 30 12:44:07 EDT 2018


SamSam ransomware is still plaguing organisations across the US, with
fresh attacks against 67 new targets - including at least one involved
with administering the upcoming midterm elections.

The malware is designed in such a way that it in additional to
encrypting files and data across target networks, it also goes after
backups as a means of ensuring that victims are truly left with no
option than to give in and pay the ransom.

These tactics are working, as the group behind SamSam are thought to
have made over $6mfrom ransom payments, often demanding over $50,000
in bitcoin for restoring systems.

Unlike other ransomware attacks which are often just spammed out to
potential victims via phishing emails, SamSam attacks begin with
remote desktop protocol (RDP) compromise via either brute force
attacks on networks or by using stolen credentials purchased on
underground forums.

The criminal operators meticulously prepare the attack so that it does
maximum damage to the target organisation, only pulling the trigger on
the infection once they they've exploited vulnerabilities and stolen
credentials to make their way across as much of the network as
possible. It's been seen to use the leaked NSA exploit EternalBlue to
help its spread across networks.

It was SamSam ransomware that was responsible for high profile cyber
incidents such as the City of Atlanta being forced offline - although
in that instance, the city didn't pay the ransom.

SamSam is still proving to a successful operation for those behind the
campaigns, with researchers at Symantec noting that the group still
remains heavily active, with fresh attacks against dozens of targets -
most of which are in the US.

The ransomware has targeted almost all sectors, but Symantec figures
suggest that healthcare is the most badly hit, with a quarter of
SamSam incidents targeting hospitals and related organisations.

Researchers also note that one targeted organisation - which hasn't
been identified in the report - is set to play a role in
administrating elections - something which could cause heavy
disruption to the upcoming midterms on November 6 if an attack is
successful in locking out systems and causing disruption.

However, it's unlikely that the SamSam group went after local
government administration in an effort to directly impact the election
- the attackers merely target organisations they see as vulnerable to
the ransomware and are able to exploit by gaining access to the
networks of.

The attackers often use 'living off the land' tactics to help them
move across the network, using operational system features and
legitimate administration tools to help compromise victims.

It's also known for the attackers to drop two different forms of
SamSam onto networks so that in the event of one being defended
against, there's the opportunity for the second variant to be

"They have the capability to break into networks and use multiple
tools to map the network, steal passwords and, ultimately, run
ransomware on a large number of machines, Dick O'Brien, Threat
Researcher at Symantec told ZDNet.

"The fact that they develop multiple versions of the ransomware shows
that they've the skill and resources for continual development.
Loading up two different versions when performing attacks in order to
have a backup to hand if one version is detected shows a degree of
contingency planning not often seen."

This stealthy approach to attacks, combined with specially selecting
targets has enabled SamSam to prosper as one of the most successful -
and damaging - forms of ransomware threats to organisations throughout

While the majority of targets are in the US, the malware has also
targeted a small number of organisations in Portugal, France,
Australia, Ireland, and Israel.

But despite the threat posed by SamSam, it isn't all powerful and
organisations can protect themselves. With attacks coming via RDP
organisations should restrict access to public facing ports to
operations for which is absolutely essential.

Default passwords and two factor authentication should also be applied
- especially on sensitive systems - in order to stop SamSam spreading
itself across the network if it does find a way in.

It's also recommended that organisaitons create backups which are
offline and offsite, so if the SamSam does take hold of the network,
there is a means of restoring the network without giving into the
ransom demand.

More information about the BreachExchange mailing list