This lucrative ransomware campaign secretly surveys vulnerable networks to maximise infections

SamSam ransomware moves laterally across networks after compromising internet-facing systems, and is making its hands-on operators hundreds of thousands of dollars.
Written by Danny Palmer, Senior Writer

An opportunistic ransomware campaign is infecting transport networks, hospitals, education facilities and more by actively seeking out vulnerable systems, and then using them as a gateway to spread laterally across the networks.

Rather than propagating via phishing emails, this campaign looks for unsecured internet-facing systems and uses them as a foothold in the network to spread SamSam ransomware, encrypting files and demanding a ransom to unlock them.

All of these attacks have been attributed to a hacking group called Gold Lowell by researchers at Secureworks. This group, the researchers believe, is responsible for an ongoing and lucrative campaign that has generated over $350,000 in ransoms in just the last few months. One US hospital recently paid the attackers $55,000 to restore systems infected with SamSam.

Gold Lowell's main infiltration method is via Remote Desktop Protocol (RDP) services, which are designed for authorised users outside the network. But these services also provide opportunities for attackers, who employ a number of methods.

Campaigns during 2015 and 2016 used JexBoss, an exploit tool that allows attackers to compromise internet-facing JBoss enterprise tools. More recently, the campaign has switched to using brute-force attacks.

"We've seem them using brute-force, simple password guessing on some of those RDP accounts -- in one organisation there were over 500,000 attempts to guess the password before they got in onto that system," Matthew Webster, a Senior Security Researcher at Secureworks, told ZDNet.

"It's not fancy techniques of high capability, but it's effective and obviously working really well," Webster added.

Once the attackers have gained access to a system on the network, they don't give themselves away immediately. Instead, they attempt to gain access to administrator credentials and other ways of escalating their system privileges.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

One means of extracting information is via Mimikatz, a publicly available tool that can extract credentials from memory; accounts have also been compromised via PowerShell modules used for penetration testing.

Once credentials have been grabbed, the attackers use custom scripts to analyse other computers on the system with ping requests. Successful pings are added to a list of systems to which the ransomware can spread.

Once all potentially vulnerable systems have been identified, the ransomware will spread laterally throughout the network, encrypting multiple systems at once.

With access to the network and stolen credentials, Gold Lowell could actively engage in any number of malicious activities, but choose to focus on installing SamSam across the network.

"They don't go off-track from this process -- we don't see them looking for intellectual property, which they have the opportunity to do; they're very much focused on deploying the ransomware," said Webster.

The victims are asked to pay 0.7 bitcoin ($6,796 at the time of writing) per system, or 3 bitcoins ($29,125) to regain access to all infected systems. The payload also deletes remaining disk space, making recovery from backups much harder, thus ensuring victims are more likely to accede to the demand.


A SamSam ransom note on an infected system.

Image: Secureworks

This means of distributing SamSam is proving effective for attackers, because victims are paying to get their files back. Researchers uncovered $350,000 in a bitcoin wallet associated with the group in 2016, and around the same amount in another wallet in 2018. It's likely only a fraction of what the group has earned.

In order to ensure payment, the attackers also operate a hands-on approach to dealing with victims, even operating a one-to-one service if the victims have questions about securing bitcoin or making payments.

"They clearly go to some effort to put themselves in the position of the victim and answer questions they may have," said Webster.

Gold Lowell has claimed victims across a number of sectors including transport, healthcare and leisure, mostly across the United States. The group isn't targeting any particular type of organisation, but is opportunistic in taking advantage of those with internet-facing systems.

See also: Cyberwar: A guide to the frightening future of online conflict

"It's obviously a different methodology to other ransomware campaigns, but it's highly effective; it means they can get a much wider spread than ransomware attached to a phishing email infiltrating one machine on the network," said Webster.

Secureworks believes that SamSam is the exclusive property of the Lowell Gold group. Not much is known about those behind the operation, but they're skilled enough to regularly update their payload and techniques -- and they aren't distributing it to other potential users.

While some have claimed that ransomware is in decline as attackers move towards other schemes such as cryptocurrency mining, the success of SamSam shows that it remains an effective means of cyberattack. "We're not seeing any sign of ransomware going away," Webster confirmed.

The SamSam campaign is still ongoing, but because its modus operandi almost always involves compromising RDP systems, some relatively simple security policies can help protect against falling victim.

Installing security updates and carrying out basic security hygeine can ensure that SamSam and other threats aren't effective, for example.

"If you put multi-factor authentication on the accounts and protections against anomalous activity, that would have a massive impact against this group," said Webster.


Editorial standards