New SamSam ransomware campaign aims at targets across the US

Hackers behind powerful file-locking malware with high ransom demands continue to target organisations they find vulnerable to attacks.
Written by Danny Palmer, Senior Writer

SamSam ransomware is still plaguing organisations across the US, with fresh attacks against 67 new targets -- including at least one involved with administering the upcoming midterm elections.

The malware is designed in such a way that it in addition to encrypting files and data across target networks, it also goes after backups as a means of ensuring that victims are truly left with no option than to give in and pay the ransom.

These tactics are working, as the group behind SamSam are thought to have made over $6m from ransom payments, often demanding over $50,000 in bitcoin for restoring systems.

Unlike other ransomware attacks which are often just spammed out to potential victims via phishing emails, SamSam attacks begin with remote desktop protocol (RDP) compromise via either brute force attacks on networks or by using stolen credentials purchased on underground forums.

The criminal operators meticulously prepare the attack so that it does maximum damage to the target organisation, only pulling the trigger on the infection once they've exploited vulnerabilities and stolen credentials to make their way across as much of the network as possible. It's been seen to use the leaked NSA exploit EternalBlue to help its spread across networks.

It was SamSam ransomware that was responsible for high profile cyber incidents such as the City of Atlanta being forced offline -- although in that instance, the city didn't pay the ransom.

SEE: Ransomware: An executive guide to one of the biggest menaces on the web

SamSam is still proving to be a successful operation for those behind the campaigns, with researchers at Symantec noting that the group remains heavily active, with fresh attacks against dozens of targets -- most of which are in the US.

The ransomware has targeted almost all sectors, but Symantec figures suggest that healthcare is the most badly hit, with a quarter of SamSam incidents targeting hospitals and related organisations.

Researchers also note that one targeted organisation -- which hasn't been identified in the report -- is set to play a role in administrating elections, something which could cause heavy disruption to the upcoming midterms on November 6 if an attack is successful in locking out systems and causing disruption.


SamSam ransomware note.

Image: Sophos

However, it's unlikely that the SamSam group went after local government administration in an effort to directly impact the election -- the attackers merely target organisations they see as vulnerable to the ransomware and are able to exploit by gaining access to the networks of.

The attackers often use 'living off the land' tactics to help them move across the network, using operational system features and legitimate administration tools to help compromise victims.

It's also known for the attackers to drop two different forms of SamSam onto networks so that in the event of one being defended against, there's the opportunity for the second variant to be successful.

"They have the capability to break into networks and use multiple tools to map the network, steal passwords and, ultimately, run ransomware on a large number of machines," Dick O'Brien, Threat Researcher at Symantec told ZDNet.

"The fact that they develop multiple versions of the ransomware shows that they've the skill and resources for continual development. Loading up two different versions when performing attacks in order to have a backup to hand if one version is detected shows a degree of contingency planning not often seen."

SEE: Ransomware: Not dead, just getting a lot sneakier

This stealthy approach to attacks, combined with specially selecting targets has enabled SamSam to prosper as one of the most successful -- and damaging -- forms of ransomware to organisations throughout 2018.

While the majority of targets are in the US, the malware has also targeted a small number of organisations in Portugal, France, Australia, Ireland, and Israel.

But despite the threat posed by SamSam, it isn't all powerful and organisations can protect themselves. With attacks coming via RDP, organisations should restrict access to public-facing ports to essential operations.

Default passwords and two-factor authentication should also be applied -- especially on sensitive systems -- in order to stop SamSam spreading itself across the network if it does find a way in.

It's also recommended that organisaitons create backups which are offline and offsite, so if SamSam does take hold of the network, there is a means of restoring the network without giving into the ransom demand.

Read more on cyber crime

Editorial standards