Executive/press briefing notes and highlights of our investigation into this ransomware campaign

Executive summary

Sophos has been conducting a long-term investigation of the SamSam ransomware campaign since soon after it emerged in late 2015. This report summarises our findings about the attacker’s tools, techniques, and protocols, with the goal to more comprehensively understand the nature of this relatively unique threat.

The attack method is surprisingly manual, and more cat burglar than smash-and-grab. As a result, the attacker can employ countermeasures (if needed), and is surprisingly adept at evading many security tools. If the process of encrypting data is interrupted, then the malware comprehensively deletes all trace of itself immediately, to hinder investigation.

SamSam is a particularly thorough encryption tool, rendering not only work data files unusable but any program that isn’t essential to the operation of a Windows computer, most of which are not routinely backed up. Recovery may require reimaging and/or reinstalling software as well as restoring backups. The attacker is very good at covering their tracks and appears to be growing increasingly paranoid (or experienced) as time passes, gradually adding more security features into his tools and websites.

Key findings 

The basics

  • The SamSam ransomware first appeared in the wild in December, 2015
  • Some victims reported a widespread ransomware event that significantly impacted operations of some large organisations, including hospitals, schools and cities
  • The attack details took some time to obtain because the attacker(s) responsible took great care to obfuscate their methods and delete any evidence that could be revealing
  • Many victims found that they could not recover sufficiently or quickly enough to ensure business continuity on their own, and reluctantly paid the ransom

The statistics

  • By tracking Bitcoin addresses supplied on ransom notes and sample files and by working with the firm Neutrino, Sophos has calculated that SamSam has earned its creator(s) more than US$5.9 million since late, 2015
  • Sophos has determined that 74% of the known victims are based in the United States. Other regions known to have suffered attacks include Canada, the UK, and the Middle East
  • The SamSam attacker has received ransom payments as high as $64,000, based on analysis of ransom payments to the Bitcoin wallets tracked
  • Unlike most other ransomware, SamSam encrypts not only document files, images, and other personal or work data, but also configuration and data files required to run applications (e.g., Microsoft Office). Victims whose backup strategy only protects the user’s documents and files won’t be able to recover a machine without reimaging it, first
  • Every subsequent attack shows a progression in sophistication and an increasing awareness of how to evade operational security
  • The cost victims are charged in ransom has increased dramatically, and the tempo of attacks shows no sign of slowdown

The victim profile

  • A number of medium- to large public-sector organisations in healthcare, education, and government have published breach disclosures relating to SamSam
  • 100% of known government organisation victims have gone public about the attack. 79% of healthcare industry organisations went public, as did 38% of education institution victims
  • The organisations that publicly disclosed an attack only comprise 37% of the SamSam victims Sophos has identified. We believe there may be hundreds more victims who have made no public statement, but we don’t know who they are
  • To date, no other industry or private sector business has made any kind of public statement confirming a SamSam attack (that we have been able to locate). More than half of the total number of victims have remained uncharacteristically silent about the attacks

The attack in detail

  • Sophos strongly suspects many attacks begin with a Remote Desktop compromise of a machine inside the network. The attacker is also known to deploy exploits at vulnerable machines to perform remote code execution
  • The attacker uses care in target selection and attack preparation is meticulous.
  • The attacker maintains a presence on the compromised machine while scanning the internal network
  • The attacker uses conventional open-source and commercial tools normally used for systems administration or penetration testing to steal passwords, move ransomware installers to Domain Administrator machines, and push the ransomware to connected workstations
  • Unlike many ransomware attacks, these do not originate in a conventional malicious spam or drive-by download attack. Each attack is a manual break-in of a targeted network
  • The attacker actively resists attempts to block the SamSam installer and routinely employs techniques that bypass some types of endpoint protection on targeted systems, rendering them vulnerable to the ransomware
  • Once the malware can scan the internal network and compile a list of potential victims, the

SamSam attackers wait until it is the middle of the night in the victim’s time zone before executing the attack: A command to distribute the malware and begin encrypting the infected machines. Timing it for this most opportune moment, when most users and admins would be asleep, incrementally improves the attack’s chances of success

The balance sheet

  • Sophos estimates that the SamSam attacker earned an average of a hair under US$300,000* per month in 2018
  • From tracking Bitcoin payments made to known wallet addresses owned by the attacker, Sophos has calculated the SamSam take as exceeding US$5.9 million*
  • The largest single ransom received by the SamSam attacker was valued at $64,478* (at the time of payment)
  • Payment is made by victims in bitcoin via a custom “payment site” on the dark web that is at a unique address for each victim organisation
  • The payment site lets the SamSam attacker interact directly with victims, who use a message board-like interface to communicate
  • The ransom amount varies widely by the organisation, but has steadily increased over the time the ransomware has been in active use
  • After full payment has been received, the SamSam attacker moves the cryptocurrency into a system of tumblers and mixers which attempt to launder the source of the Bitcoin through myriad microtransactions

* Note: In order to accurately estimate costs, due to wildly fluctuating exchange rates, we calculate the value of a given quantity of Bitcoin as its worth on the day it was acquired by the SamSam attacker, if the SamSam attacker were immediately to cash it out

Behavioural curiosities and other unique characteristics

  • Recent ransom notes have turned an apologetic, almost contrite tone, with a ransom note file named SORRY-FOR-FILES.html and a file extension of .weapologize on every encrypted file
  • The first two versions of the SamSam malware has appended more than 50 different file extensions to encrypted user files with only 1 variant per attack, changing these extensions every few attacks. But since version 3, they have stuck to just the one – “.weapologize”
  • SamSam contains within the program code a hardcoded list of file extensions to target first for encryption. It will encrypt files on that list before all others
  • The ransomware does not only encrypt the files on the hardcoded list of extensions. After it has completed encrypting the files on the list, it encrypts any other file that isn’t necessary to keep Windows running and the IE or Edge browser working. Most backup regimens are not used to maintain backups of program directories or configuration files
  • Throughout the lifetime of the SamSam attacks, certain behavioural tics, in the form of minor spelling or punctuation errors, are repeated. These errors may be instructive in determining the region from which the attacker operates
  • The SamSam payloads have, in the past, contained strings that show build paths on the computer used to compile the malware executables. These build paths could be evidence to point to a specific machine’s use in building the malware
  • The compile time for SamSam malware indicates that the vast majority of samples are built during an 8pm to 11pm window in the attacker’s local time
  • The attacker compiles new copies of the executable malware payloads throughout the week, but builds the fewest on Mondays, and the most on Tuesdays. Even bad guys don’t like Mondays
  • If someone interrupts the encryption process mid-stream, an internal process running in the SamSam malware detects this, and executes a secure deleting utility that wipes the SamSam code and hinders forensic recovery

Recommended security practices

  • There is no silver bullet to security; an active and layered security model is the best practice
  • If you study the methodology, there are several points at which basic security measures can stop the SamSam attacker
  • Sophos recommends implementing these top four security practices right now:
    1. Restricted access to port 3389 (RDP) by only allowing staff who use a VPN to be able to remotely access any systems. Utilise multi-factor authentication for VPN access
    2. Complete, regular vulnerability scans and penetration tests across the network; if you haven’t followed through on recent pen-testing reports, do it now
    3. Multi-factor authentication for sensitive internal systems, even for employees on the LAN or VPN
    4. Create back ups that are offline and offsite and develop a disaster recovery plan that covers the restoration of data and whole systems
  • Additional best security practices Sophos recommends are:

o Layered security that blocks attackers from all points of entry and from gaining access once inside a network

o Rigorous and diligent patching

o Server-specific security with Lockdown capabilities and anti-exploit protection, especially for unpatched systems

o Security that synchronises and shares intelligence to activate lockdowns

o Endpoint and server security with credential theft protection

o Hard to crack and unique IT admin passwords with multi-factor authentication

o Improve password policies: Encourage employees to use secure password managers, longer passphrases and the non-reuse of passwords for multiple accounts – How to pick a proper password.

o Periodic assessments, using third-party tools like Censys or Shodan, to identify publicly- accessible services and ports across your public-facing IP address space, then close them

o Improved account access controls: Enact sensible policies to secure idle accounts; automatically lock accounts and alert IT staff after a number of failed login attempts

o Regular phishing tests and staff education about the perils of phishing

Pin It on Pinterest

Share This!

Share this post with your friends.