On the whole, whilst spreading ransomware, the usual malware suspects use old-fashioned strategies that 'hit and hope' with as many victims as possible, such as in mass-pool spam campaigns, sent to thousands, potentially hundreds of thousands of possible targets.
Simple procedures are used to infect each potential victim's system and ransomware distributors make money per user, which are low per victim, but because there are so many, worth the hassle.
[Cyberhub Summit is Coming back to Atlanta, Ga | October 9-10, 2018 - Cyber Security education for executives and business owners and Powerful Networking. | Get the latest from Cyberhub Summit by signing up for their newsletters. ]
A different breed of ransomware is now dominating the headlines, SamSam, which keeps on cropping up and randomly demanding $50,000.
What is SamSam?
SamSam is a different kind of ransomware used in highly focused cyber-attacks, by a trained group of hackers that penetrate the victim’s network, observes the operation and only then, enables the malware manually.
On the scene since December 2015, the attacks create mass damages to systems and the ransom demands are hefty.
High Profile attacks include:
- Atlanta city Government
- Colorado Department of Transportation
- U.S. network of COSCO, one of the world's largest shipping companies (suspected and most recent).
Although your chances of being hit with a SamSam ransomware attack are low – the effects are huge.
The trickle-down effect from their typical victims, public sector institutions and now as uncovered by Sophos, private corporations, is highly likely to sting you until it hurts, at one point.
SophosLabs believes 74% of the victims are US-based and only 37% of private companies hacked have yet disclosed the attack, meaning that it's a larger problem in the private sphere than we think and that companies are paying the ransoms.
How it works
In the same Report Sophos details how, the ransomware spreads. It appears that SamSam is actually deployed to computers on the victim’s network similar to regular software applications.
The SamSam attacker gains access via Remote Desktop Protocol through guessing passwords and most attacks are structured to happen at night, therefore will change in different time zones.
SamSam is then spread manually by the hacker, now inside the victim's system. This could explain why this ransomware isn’t designed to be engineered on a mass-scale and equally explain, the reason for its success, as hackers can adapt to different system environments.
Having gained access to a network, the SamSam hacker increases privileges to the level of Domain Admin, giving them full control to execute processes remotely (deploy the malware) with PsExec or PA Exec.
Once spread, the ransomware encrypts all files on the infected machines from a centralized system to inflict the most damage. Then they just wait, until the victim reacts to their demands. Although ransoms have been said to have increased from $20,000 to $60,000, most attackers have released the encrypted data back to victims. Neutrino, a cryptocurrency monitoring organization has suggested SamSam has profited to the tune of almost $6mil in ransom.
Don't be a Victim
SamSam victims are chosen due to their perceived weakness where a SamSam operator can work on the victim's networks and exploit software vulnerabilities. Adopt a multi-layered defense to security.
- Restrict Remote Desktop Protocol access to staff
- Use multi-factor authentication for VPN access
- Run vulnerability scans and penetration tests.
- Back up your data.