SamSam: The new ransomware that has raised ransom demands of almost $6 million

Network and endpoint security leader Sophos has uncovered a new ransomware which it claims has raised vastly more ransom demands of almost of $6 million. Known as SamSam, Sophos says the ransomware is used in targeted attacks by a skilled team or individual, who breaks into a victim’s network, surveils it and then runs the malware manually.

Unlike most other ransomware, Sophos says SamSam encrypts not only document files, images, and other personal or work data, but also configuration and data files required to run applications (e.g., Microsoft Office). Victims whose backup strategy only protects the user’s documents and files won’t be able to recover a machine without reimaging it, first

The attacks are tailored to cause maximum damage and ransom demands are measured in the tens of thousands of dollars. The attack method is surprisingly manual, and more cat burglar than smash-and-grab. As a result, the attacker can employ countermeasures (if needed) and is surprisingly adept at evading many security tools. If the process of encrypting data is interrupted, then the malware comprehensively deletes all trace of itself immediately, to hinder investigations.

SamSam is a particularly thorough encryption tool, rendering not only work data files unusable but any program that isn’t essential to the operation of a Windows computer, most of which are not routinely backed up. Recovery may require reimaging and/or re-installing software as well as restoring backups. Sophos says the attacker is very good at covering their tracks and appears to be growing increasingly paranoid (or experienced) as time passes, gradually adding more security features into his tools and websites.

According to key findings from Sophos, the SamSam ransomware first appeared in the wild in December 2015. Some victims reported a widespread ransomware event that significantly impacted the operations of some large organizations, including hospitals, schools, and cities. The attack details took some time to obtain because the attacker(s) responsible took great care to obfuscate their methods and delete any evidence that could be revealing. It notes that many victims found that they could not recover sufficiently or quickly enough to ensure business continuity on their own and reluctantly paid the ransom

By tracking Bitcoin addresses supplied on ransom notes and sample files and by working with the firm Neutrino, Sophos has calculated that SamSam has earned its creator(s) more than US$5.9 million since late, 2015. In 2018, Sophos estimates that the SamSam attacker earned an average of a hair under US$300,000 per month.

74% of the known of the SamSam ransomware victims are based in the United States. Other regions known to have suffered attacks include Canada, the UK, and the Middle East. The SamSam attacker is also said to have received ransom payments as high as $64,000, based on analysis of ransom payments to the Bitcoin wallets tracked.

From tracking Bitcoin payments made to known wallet addresses owned by the attacker, Sophos has calculated the SamSam take as exceeding US$5.9 million. The largest single ransom received by the SamSam attacker was valued at $64,478 (at the time of payment). Payment is made by victims in bitcoin via a custom “payment site” on the dark web that is at a unique address for each victim organization. The payment site lets the SamSam attacker interact directly with victims, who use a message board-like interface to communicate. The ransom amount varies widely by the organization but has steadily increased over the time the ransomware has been in active use. After full payment has been received, the SamSam attacker moves the cryptocurrency into a system of tumblers and mixers which attempt to launder the source of the Bitcoin through myriad microtransactions

To protect from this new ransomware, Sophos is recommending that individuals or organizations adopt an active and layered security model. It is also recommending restricted access to port 3389 (RDP) by only allowing staff who use a VPN to be able to remotely access any systems. Utilize multi-factor authentication for VPN access. Organisations are also being requested to run complete and regular vulnerability scans and penetration tests across the network as well as multi-factor authentication for sensitive internal systems, even for employees on the LAN or VPN.

Organizations are also being advised to create back-ups that are offline and offsite and develop a disaster recovery plan that covers the restoration of data and whole systems. Additional best security practices Sophos recommends include layered security that blocks attackers from all points of entry and from gaining access once inside a network, rigorous and diligent patching, server-specific security with Lockdown capabilities and anti-exploit protection, especially for unpatched systems. Others security measures include security that synchronizes and shares intelligence to activate lockdowns, endpoint and server security with credential theft protection, hard to crack and unique IT admin passwords with multi-factor authentication, improve password policies, periodic assessments, using third-party tools like Censys or Shodan, to identify publicly-accessible services and ports across your public-facing IP address space, then close them, improved account access control and also regular phishing tests and staff education about the perils of phishing