SamSam operators switch tactic and are more focused on targeted organizations

Pierluigi Paganini April 30, 2018

SamSam ransomware made the headlines again, crooks now spreading thousands of copies of the ransomware at once into individual targeted organizations.

Ransomware continues to be one of the most dangerous cyber threat and incident like the one suffered by the city of Atlanta demonstrates that their economic impact on victims could be severe.

SamSam ransomware made the headlines, according to malware researchers at Sophos, its operators are now spreading thousands of copies of the ransomware at once into individual organizations. The experts warn of targeted attacks, this means that the organizations are carefully selected by the crooks.

“Unlike most of the well-known ransomware families, which attack randomly, SamSam is used against specific organizations, those most likely to pay to get their data back, like hospitals or schools.” reads the analysis published by Sophos.

“Instead of spam campaigns, the cybercriminals behind SamSam use vulnerabilities
to gain access to the victims’ network or use brute-force tactics against the weak
passwords of the Remote Desktop Protocol (RDP).”

The operators behind the recently discovered SamSam campaign attempt to exploit known vulnerability to compromise networks of targeted organizations. The hackers have been seen using brute-force tactics against Remote Desktop Protocol (RDP) passwords.

Once compromised a system inside the targeted organization, the SamSam search for other machine to infect while stealing credentials.

When operators discover a potential target they manually deploy SamSam using tools like PSEXEC and batch scripts.

The following diagram shows the different steps of the latest SamSam variant for which the initial infection vector is still unclear.

SamSam new variant

Once infected the largest number of systems in the targeted organization, SamSam operators attempt to offer a complete clean up of the infected systems for a special price.

“Instead of blasting out one copy of the malware out to thousands of potential victims over a day or two, the crooks blast thousands of copies of the malware onto computers inside a single organisation, pretty much all at once…” reads a blog post published by Sophos. “…and then, almost casually, they offer a “volume discount” to fix the entire company in one fell swoop.”

At the equivalent of $7200 per PC, but crooks “just” request a $45,000 ransom to decrypt your whole company.

The Bitcoin ransom seems to be adjusted, based on the BTC-to-US$ exchange rate at the time of the infection of the organization.

“We don’t know why the price is $45,000. For all we know, that number was picked because it’s below certain reporting threholds, or because the crooks want to pick the highest value they dare without getting into corporate board-level approval territory. All we can say is that $45,000 is a lot of money.” continues the post.

Rather than pay the entire ransom, companies can pay to restore only select machines by sending the specific hostnames to the operators.

System administrators must install security updates for any software installed on the organization, run a security software, and always back up their data.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – ski lift, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment