Sophos warns of more SamSam ransomware copycat attacks in 2019

Instead of using mass spamming techniques to blast malware to millions of recipients in the hope of collecting thousands of dollars each from thousands of victims scattered all over the world, the SamSammers used a more pin-point approach.

They identified lists of networks where they knew there was a security hole, such as a remote access portal with a guessable password, and picked just one network at a time to attack.

By scrambling hundreds of computers in a single network at the same time – often, ironically, by employing the same sort of sysadmin techniques that a legitimate IT staffer might use to distribute a genuine software update – the crooks generally ended up in a very strong position from which to extort money.

According to a story published by the Wired, the U.S federal prosecutors have indicated these individuals who have been deployed the notorious SamSam ransomware and Sophos has been tracking this and other similar targeted ransomware attacks for a while.

Chester Wisniewski, principal research scientist at Sophos, describes this human-centered approach to be successful, with the authors of SamSam ransomware collecting an estimated $6.5m over the course of almost three years. The attacks were more cat burglar in style – they strategically happened when victims were asleep, indicating that the attacker carries out reconnaissance on victims and carefully plans who, what, where and when attacks will happen. In these attacks, cybercriminals target weak entry points and brute-force Remote Desktop Protocol (RDP) passwords. Once in, they move laterally, working one step at a time to steal domain admin credentials, manipulate internal controls, disable back-ups and more to hand-deliver the ransomware. By the time most IT managers notice what’s happening, the damage is done. Other cybercriminals have taken note, and more copy cats are  expected in 2019.

“Based on Sophos’ research, we suspected this was a small group of people by the degree of operational security they employed. They were not braggarts or noisy on dark web forums as is typical of many amateurs. Some of the grammatical and punctuation tics Sophos saw may have been due to the threat actors’ not being native English speakers. Tehran’s time zone is GMT+3:30 and that may have been evident in the compile times of the malware samples we analyzed, and the threat actor’s “work hours” were consistent with this time zone. The Sophos SamSam report and 2019 Threat Report explain in detail how they operated with their attacks. Their TTP was unique and employed some very intriguing protection measures that evolved over time. Sadly, they have inspired a whole new generation of attacks that are using the same playbook against other large and mid-sized organizations. Sophos details immediate steps businesses need to take in its reports on SamSam and the SophosLabs 2019 Threat report, not only because these cybercriminals are still on the run, but because they have inspired others to follow in their footsteps.” Says Wisniewski.

This goes to show that no amount of malicious code, covert operations and cryptocurrency puts a criminal beyond our ability to identify and bring forth charges for stealing and extorting money from innocent people. By identifying the Bitcoin wallets associated with this criminal activity they have essentially marked them as poison. Anyone who attempts to help launder those cryptocurrencies and assists in converting them to real money will be an accessory to the crimes alleged to have been committed.