One of the ills that has attempted the investors and business holders in cryptocurrency is ransomware. This business has become a million dollar success all over black market and one of the leading examples is SamSam ransomware.
According to a UK based security firm Sophos, SamSam has made a total of about $5.9 million since the time it hit the cryptomarket back in 2015. The security firm made a detailed researched and published a comprehensive paper based on the data collected from victims, testimonies, and data mining samples, which show how the victims are targeted and how the ransom is collected.
— Sophos (@Sophos) July 31, 2018
According to the paper, SamSam uses vulnerabilities in the remote desktop protocol (RDP) or Java-based web servers, or file transfer protocol (FTP) servers to get access to the victim’s private data. They also use brute-force against weak passwords to get hold of the data. Once they’ve made through to the other side, this is when the chaos begins for the victim.
The demographics of the victims show that 74% of the victims are base in the United States. Apart from the United States, the other regions that have faced the attacks are Canada, United Kingdom and Middle East. The largest ransom paid by an individual victim, so far, is valued at $64,000.
Since the day this ransomware came into being, it has chosen its targets carefully. It hasn’t gone slow on large organizations like the Atlanta city government, the Colorado Department of Transportation, several hospitals and educational institutions like the Mississippi Valley State University.
Mode of operation
At the beginning of 2016, a threat of a stream of ransomware attacks appeared. These attacks were like ones that were never seen before. The manual approach to target the victims, where the attacker breaks into the victim’s system by attempting as many logins as the remote desktop protocol allows and guessing weak passwords. Once in, the attacker waits till late at night when the company or organization is least equipped to handle the attack or when the victim is literally asleep. This is the time when the attacker sneaks into the system and encrypts files and makes a priority list on them. These files are then used as leverage to get the victim to pay the required ransom. Since then, the sophistication and progression of the attacks have significantly increased and so has the tempo of the attacks.
“There’s no automation involved in it but what they do is old-school hacking,” says Jake Williams, the founder of Rendition Infosec.
According to the findings, SamSam encrypts not only document files, images, and other personal or work data, but also configuration and data files required to run applications (e.g., Microsoft Office). Victims whose backup strategy only protects the user’s documents and files won’t be able to recover a machine without re-imaging it,
The report by Sophos share the evolutionary timeline of SamSam in their report:
What makes SamSam stand out from other forms of ransomware is that SamSam is not distributed in an unplanned way via spam email campaigns; instead, attackers choose potential targets and infect systems manually. Peter Makenzie, the global malware escalations manager of Sophos estimates that there is a victim of SamSam ransomware every other day. He later said about the organization that:
This is controlled via a small group of people, it’s manually deployed on a victim’s network after they’ve hacked their way in, which is quite different to the majority of ransomware.
Acording to Sophos,
Many victims found that they could not recover sufficiently or quickly enough to ensure business continuity on their own, and reluctantly paid the ransom.
Identifying the hackers
The fascinating fact about SamSam is that they are experts of covering their tracks and because of that, the identity of the author behind SamSam still remains unknown to date. Although the identity could not be traced, Sophos made the following observations on their report:
The consistency of language across ransom notes, payment sites, and sample files, combined with how their criminal knowledge appears to have developed over time, suggests that the attacker is an individual working alone. This belief is further supported by the attacker’s ability not to leak information and to remain anonymous, a task made more difficult when multiple people are involved.
The attacker’s language, spelling and grammar indicates that they are semi-proficient in English but they frequently make mistakes. Their spelling is on the whole good but there are some obvious typos that have not been corrected as shown below:
Prevention of attacks
For security, techniques for network managements can be used, like restricting the administrative privileges of critical systems to as small a number of accounts as possible, and closing possible loopholes, like RDP ports open to the outside world. Endpoint protection should be deployed for security but not for the first line of defense. Real time network and event monitoring is also a key to prevention of hacking.
The more efficient way to keep the companies secure is to keep the systems inside the companies up to date and making the employees make sure that the passwords that they use should be strong as the SamSam attacker has historically entered a network through a combination of exploits and brute forced RDP passwords. Complete, regular vulnerability scans and penetration tests across the network should be run. At the end, educating the staff about security and scanning for phishing attempts.
The attacks totally depend on how careful or careless the company is regarding its security policy of their network.