SamSam Ransomware 101: How It Works and How to Avoid It

[harlan4096]

SamSam Ransomware Was Released in Late 2015. Here’s What You Should Know About It.

Malware traditionally spreads through nefarious social engineering practices, phishing campaigns, and malicious attachments. In this way, it manages to profit off of users that are not well-versed in matters of cybersecurity. SamSam ransomware takes a different approach, which is exactly what makes it so dangerous.
 
In this article, I will first go over what SamSam ransomware is, as well as how it works. As always, stay tuned until the end for some actionable advice on how to prevent a SamSam ransomware infection.

What is SamSam Ransomware?

The first known version of SamSam ransomware appeared in late 2015 or early 2016 (depending on what article you read) and was initially presumed to have been released by an Eastern European hacker group. However, two Iranian men have been indicted for related cybercrime in 2018. The name ‘SamSam’ draws from the filename of the earliest discovered sample.

Also known as Samas or SamsamCrypt, the strain targets organizations within multiple industries, including critical infrastructure establishments from the healthcare and public health sectors, the transportation sector, and the education sector. Most victims were located in the United States, but international cases have been reported over time as well in the UK, France, Portugal, Australia, Canada, Israel, and the Middle East.

From the beginning of 2016 to 2018, SamSam ransomware wreaked havoc among its chosen victims. Below, I have comprised a brief list of three major attacks, all of which took place during its final months of registered activity.

Colorado Department of Transportation

Early in the morning of February 21, 2018, the Colorado Department of Transportation (CDOT) fell victim to a SamSam ransomware attack. CDOT employees were the ones to discover the incident when business hours started and they tried logging onto the network.

Devices in the department’s system all displayed the now-infamous ransom note. Hackers had encrypted essential files and demanded a Bitcoin payment in return for remediation. However, CDOT refused to pay the ransom and focused on mitigating the damages. This effort cost the state $1.7 million in total.

Atlanta Local Government

The city of Atlanta reported a massive cyberattack on March 22, 2018. It was later confirmed that SamSam ransomware was responsible for the incident, gaining unlawful entry into the local government network through a brute force attack. The city was then and still is now a very important transportation and economic hub for the state of Georgia and the United States in general.

In the past, SamSam ransomware has been known to target smaller local governments such as that in the town of Farmington, New Mexico. The attack on Atlanta proved to be hugely disruptive to the everyday lives of citizens and employees alike, with services such as utilities, parking, and court being affected in the aftermath of the attack.

A ransom of $51,000 was demanded by operators via Bitcoin. However, Atlanta officials refused to pay and focused on remediation instead. Recovering costs amounted to $2.7 million in both governmental and third-party services.

On November 28 of the same year, two Iranian hackers were convicted for the attack. As per the U.S. Department of Justice, the SamSam cybercrime group was discovered to be based in Iran, rather than Eastern Europe as initially believed.

Indiana’s Allied Physicians of Michiana

On May 17, 2018, SamSam ransomware operators attacked the Indiana-based Allied Physicians of Michiana (APOM). Fortunately, the healthcare provider immediately responded by shutting down its network to protect confidential patient data. As per an official statement issued soon thereafter, the incident was successfully contained.

The year 2018 was a prolific one for SamSam ransomware attacks against the healthcare sector. Earlier, in January, affiliated hackers infected both Hancock Health’s and Allscript’s systems. Healthcare organizations have accounted for one-quarter of SamSam ransomware attack victims in 2018. The reason behind this remains unknown.

How Does SamSam Ransomware Work?

According to an alert issued by the Cybersecurity & Infrastructure Security Agency (CISA) on December 3[sup]rd[/sup], 2018, the SamSam ransomware gang exploits vulnerabilities in an organization’s Windows servers. In this way, malicious actors gain unlawful access to the company network and infect all accessible hosts.

Early reports on SamSam ransomware dating back to 2016 describe the use of the infamous JexBoss Exploit Kit to get into vulnerable JBoss applications.

What is more, an FBI analysis performed in mid-2106 recounts the malicious actors gaining access through the Remote Desktop Protocol (RDP) via stolen credentials or brute force attacks.

As per the FBI, hackers purchased the credentials from Dark Web marketplaces. The targeted networks were attacked within hours of the transaction.

Once the malicious actors behind the operation enter an establishment’s network, they escalate admin rights, drop the malware, and run an executable file. This technique differs from that of other ransomware operators who rely on the victims to open an attachment or infected application. SamSam ransomware propagates through the RDP with little to no interaction from its targets.
...

Continue Reading