A ransomware threat called SamSam that’s known for crippling IT systems in hospitals, schools and government organizations has made many more victims than previously believed.
Security researchers from Sophos worked with cryptocurrency tracking firm Neutrino to follow ransom payments associated with SamSam and found that they totaled nearly $6 million, six times more than previous estimates.
The company has also identified many more victims who paid the ransom than were previously known—233—half of which were companies from the private sector. This shows that SamSam is not only targeting the healthcare, government and the education sectors, where many of the infections with this threat had been reported until now.
“Based on the much larger number of victims now known, it seems that far from being unaffected, the private sector has actually borne the brunt of SamSam,” the Sophos researchers said in a blog post. “Victims in that sector have simply been far more reluctant to come forward.”
SamSam appeared in 2015 and is still active today. However, unlike other ransomware threats that are distributed indiscriminately through mass spam campaigns, the SamSam victims are more carefully selected. This also explains the much higher ransom demands associated with SamSam attacks, which typically are in the tens of thousands of dollars.
The SamSam creator, which Sophos believes to be a lone individual, typically gains access to victims’ networks by using brute-force tools to guess weak RDP (Remote Desktop Protocol) credentials. The attacks are timed to happen during the night depending on where each victim is located, showing a high level of involvement from the hacker.
Moreover, the malware doesn’t have worming capabilities that allow it to spread itself across local networks by exploiting vulnerabilities. Rather, the attacker connects to the compromised systems and performs lateral movement manually, adapting his tools and techniques to each specific environment.
“By working in this way, the attacker can try over and over again to work around defences and gain the access they want,” the Sophos researchers said. “If the SamSam attacker is on your network they will likely stay on it until they succeed, unless they’re kicked off.”
The hacker uses various tools to gain domain admin privileges, which grants him access to most machines on compromised networks. The ransomware routine is only executed after the malware has been copied to a large number of systems, to maximize the attack’s impact.
This tactic usually leaves victim organizations in an inability to perform their day-to-day operations and, faced with a lengthy recovery process that could take days or weeks, makes them more likely to pay the ransom. This is also why the SamSam attacker has been able to successfully extract payments of up to $50,000 from each victim, vastly more than other ransomware groups.
Unlike most other ransomware programs, which typically encrypt documents, images and work data, SamSam also targets application configuration files. This means that even if work files are restored from backups, the applications installed on an affected system will fail to work properly.
“Thanks to an improved understanding of the way that SamSam targets files in the victim’s operating system, Sophos now recommends that backing up your business data is not enough,” the Sophos researchers said. “To recover swiftly from a SamSam attack, organisations need more than a plan for restoring data – they need a comprehensive plan for rebuilding machines.”
The threat actor behind SamSam is certainly skilled and their attacks have displayed a progression in sophistication and awareness over the past two years, the researchers warn. The spelling and grammar seen in ransom notes suggest that the attacker is semi-proficient in English, but still frequently make mistakes.