SamSam Ransomware Targeted Attacks Continue

June 21, 2017 | Chris Doman
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

Normally new variants of ransomware families aren't particularly interesting.

SamSam, however, is different. Whereas most ransomware is automatically propagated, SamSam is deployed manually.

In addition, the group behind SamSam charges very high ransoms because of the amount of effort invested in their operations, which made them the subject of two FBI Alerts last year.

The attacks seem to peak in waves as campaigns distributing SamSam are executed. A notable recent example was a large hospital in New York that was hit with SamSam in April. The hospital declined to pay the attackers the $44,000 ransom demanded. It took a month for the hospital’s IT systems to be fully restored.

Defending against SamSam is more akin to a targeted attack than typical opportunistic ransomware. SamSam attackers are known to:

  • Gain remote access through traditional attacks, such as JBoss exploits
  • Deploy web-shells
  • Connect to RDP over HTTP tunnels such as ReGeorg
  • Run batch scripts to deploy the ransomware over machines

Earlier this week, ID Ransomware spotted new variants of the SamSam ransomware. A review of the code (which decompiles cleanly with the tool ILSpy) indicates that little has changed, apart from some updates to the ransom note:

SamSam is a new ransomware variant

The ransom the victims must pay to recover their files is hardcoded in the malware. In this attack, it was:

  • 1.7 Bitcoin ($4,600) for a single machine
  • 6 Bitcoins ($16,400) for half the machines (allowing the victim to confirm they can recover their files)
  • 12 Bitcoins ($32,800) for all of the machines

The most recent attacks appear to have been successful, at least from the attackers point of view. The Bitcoin address associated with this week’s attacks has received $33,000.

samsam attacks are netting good money

samsam btc results

SamSam decryption requires space

These new variants remind us that we must remain vigilant and utilize the latest threat indicators to detected new strains of existing malware. You can view the associated indicators in OTX.

Update: Vallejo has published an analysis on this sample of SamSam.

Chris Doman

About the Author: Chris Doman, AlienVault
I've had a long interest in security, but joined the industry after winning the civilian section of the Department of Defense's forensics competition. I run a popular threat intelligence portal (ThreatCrowd.org) in my spare time, and hold a CCHIA (Certified Host Intrusion Analyst) from CREST and a degree in Computer Science from the University of Cambridge.
Read more posts from Chris Doman ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL CHAT