SamSam Ransomware Evolves Its Tactics Towards Targeting Whole Companies

The gang behind the Atlanta city shutdown and other attacks is selecting victims carefully and offering volume discounts to unlock whole organizations.

Ransomware has lately lost its status as the queen of the cybercrime prom, but a new iteration of the nefarious SamSam extortion code shows that it can still make a bid to be sparkly and attention-getting.

The latest version of SamSam has taken the malware road less traveled, ditching widespread spam campaigns for unusually targeted, whole-company attacks. According to an analysis by Sophos, in a reversal of previous tactics, SamSam operators are now launching thousands of copies of the ransomware at once into individual organizations, each of which has been carefully selected.

To effect the “whole-company” play, SamSam uses various vulnerability exploits rather than phishing and spam to gain access to a victim company’s network; it’s also been seen using brute-force tactics against weak Remote Desktop Protocol (RDP) passwords, Sophos said. After gaining a foothold, SamSam follows its known pathology, seeking out additional victims via network-mapping and stealing credentials – a tactic that Cisco Talos analysts noticed back in January. Once the potential targets are discovered, the attackers manually deploy SamSam on the selected systems, using tools like PSEXEC and batch scripts.

After they’ve infiltrated a target company and saturated it with the malware, the operators are also mixing things up when it comes to business tactics: They’re offering a “volume discount” to clean all of those machines.

In Sophos’ examination, the volume discount works out to about $45,000 worth of Bitcoin at current exchange rates.

“We don’t know why the price is $45,000,” said Sophos researcher Paul Ducklin, in a post. “For all we know, that number was picked because it’s below certain reporting thresholds, or because the crooks want to pick the highest value they dare without getting into corporate board-level approval territory. All we can say is that $45,000 is a lot of money.”

If companies don’t want the so-called volume discount, they can pay per host, restoring select machines by sending the specific host names to the operators.

As far as how well business is going for the SamSam gang, Talos reported that a SamSam-affiliated Bitcoin wallet address in January had received 30.4 BTC. A second address, active from mid-January, has received 23 payments as of April, Sophos said. Between the two, the criminals have raked in a total income of 68.1 Bitcoin to date, which works out to about $632,199 at the latest exchange rate.

The good news is that basic security hygiene, like patching, segmenting the network, having backups in place and enforcing policy on privileged account access can all help protect against SamSam. Companies should take note and take the time to build a ransomware plan, because the stakes are high: While they shouldn’t pay the ransom, victims are sure to pay in one way or another.

The city of Atlanta, a high-profile recent SamSam victim, ponied up $2.7 million to security firms and consultants to help it get its machines and data back. The attack caused a complete shutdown for days of the Georgia capital’s online systems, which support the police department, city courts, parts of the airport (the world’s busiest) and more. Attackers asked the city to pay $6,800 to unlock each computer, which translates into a whopping $51,000 for all of the needed keys – but the city declined to pay. Regardless, the event was costly – and some systems are still inaccessible, according to reports.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.