SamSam Ransomware Threat Actors Move to Targeted Company-Wide Attacks

May 5, 2018


The threat actors at the back of the latest SamSam ransomware attacks have changed methods and are now carrying out extremely targeted, company-wide attacks with the objective of contaminating large numbers of appliances.

Businesses are being studied and businesses that are supposed to be most likely to pay the ransom are being attacked. Rather than using spam and phishing electronic mails to gain access to appliances, the threat actors are abusing weaknesses to gain access to a system and using brute force attacks taking benefit of weak passwords – particularly remote desktop protocol (RDP).

When access to a network is gained, identifications are stolen and different tools – such as PSEXEC – and batch scripts are used to search the network and install the ransomware payload on chosen systems.

The objective of the attackers seems to be to contaminate as many important business systems as possible to maximize interruption and the cost of alleviating the attack. The higher the cost of retrieval, the more likely it is that the ransom will be paid.

Sufferers are provided two alternatives for paying the ransom – a bulk discount is presented for the keys to decrypt all contaminated appliances, or sufferers can pay per host and simply decrypt files on chosen systems and devices.

A study of the attack methods used in the SamSam ransomware crusades was lately issued by Sophos. In a related blog post, Paul Ducklin described that the usual ransom demand is roughly $45,000 in Bitcoin, with the ransom changed to take the value of the cryptocurrency into account.

It is not clear why that amount has been selected, even though Ducklin proposes that sum is under certain reporting thresholds, or the payment of that amount is not likely to need board sanction. The payment seems to have been decided to maximize profits for the attackers, whilst also being satisfactorily low to make sure it is paid. The payment will definitely be substantially lower than the cost of retrieval without paying the ransom. The City of Atlanta ransomware attack has cost no less than $2.6 million to solve.

Many sufferers are choosing to pay the ransom, and in the majority of cases, payment is made to decrypt all appliances, even though some businesses have chosen to only decrypt specific hosts.

As per Cisco Talos, one of the Bitcoin wallets linked with SamSam had received 30.4 Bitcoin in January, with a second Bitcoin wallet having received 23 payments. In total the attackers have been paid 68.1 Bitcoin – around $627,500 at the existing exchange rate.