Sophos has been conducting a long-term investigation of SamSam since soon after it emerged in late 2015. The company estimates that the average SamSam attacker has earned nearly $300,000 per month this year.
To get the lowdown on SamSam, we spoke with Chet Wisniewski, Sophos research scientist. In many ways, SamSam is “completely different” from ransomware, he said.
“Mostly what we’ve been talking about for the last five years is what we call opportunistic or ‘spray and prey,'” he said. “You send out 100,000 emails with a malicious attachment, and you cross your fingers and hope somebody opens them somewhere, and when they do, you don’t know if that victim is going to be somebody’s aunt or uncle, or a small business or a hospital, so of course because it’s automated and bot-like, you set a generic price. [You] ask $500 per computer and hope the victim has $500. And they’ll try to target people in rich countries so that they’re likely to pay. That’s sort of the traditional model.”
SamSam, however, is being deployed by hand and the “criminal or criminals are literally going down the cyber walkway checking doorknobs to see if they’re loose, and if they see a door ajar or a handle that turns a little bit, they use their skills to break in, exploit the vulnerability, and they don’t just deploy the ransomware right away,” Wisniewski said.
“If they break into your business, they find a vulnerability, say in your web app, or if you’ve got an unsecured remote desktop protocol port open for remote access for your systems and that kind of thing — once they get in, now they actually kind of case the joint the way somebody would in a traditional burglary,” he said. “They start looking around [for] … the admin accounts, and can we write a script to disable them all at the same time? So that when we unleash the ransomware, none of the admins can log in. And they’ll look to see if the backups are online or offline.”
They’ll erase all backups so the target can’t recover as easily and is more likely to pay the ransom, Wisniewski said. The largest single ransom received by a SamSam attacker was nearly $65,000.
SamSam is a particularly thorough encryption tool, rendering not only work data files unusable, but any program that isn’t essential to the operation of a Windows computer, most of which aren’t routinely backed up. Recovery might require reimaging and/or reinstalling software, as well as restoring backups.
A common perception has been that SamSam has specifically targeted health care and government, but a closer look reveals that “no industry is really left unhit,” he said.
“I think what has distorted our view of these attacks historically is the types of organizations that are likely to admit that they had a problem is really the truth of it,” Wisniewski said. “When a hospital gets hit and they’re unable to accept patients in the emergency room, it’s a headline and we learn about it right away, and they explain to us what happened. The city of Atlanta, of course, is a civic organization that’s responsible to the taxpayers, so they can’t really sweep it under the carpet; whereas a private industry has a much bigger incentive to not really disclose that these things are happening to them. But this shows it is happening to them, sadly.”
As for protecting your organization from SamSam, the good news is it’s “not a lot of really hard stuff, it’s just focusing a little harder on …