The rise of SamSam ransomware

This weekend the SamSam ransomware made the Dutch news. Why? Because SamSam is on the rise in our country. According to the article and source Fox-IT, small to medium businesses are targets. The report of Sophos, a result of a thorough investigation, reveals that the cybercriminal or cybercriminals behind SamSam ‘earned’ about 5.9 Million USD. What is SamSam and why would you want to read this article? SamSam is different than Wannacry or other malware. It is very sophisticated and if you ask me, it is a combo of malware and ransomware. Can you defend your organization against it? Yes, but it might take a lot of effort to do so.

What is SamSam exactly?

If you ask me, SamSam is a combination of malware and ransomware. Why? Because the main objective of the cybercriminal or cybercriminals behind SamSam is to get in into an organization. Once it is in, it waits and collects a lot of data. Meanwhile, the cybercriminal or cybercriminals obtain access to systems and copy the malware/ransomware onto other systems. And the collection of data about the network, the servers, about accounts (such as domain admin accounts of sysadmins) and perhaps about the most busy hours, a.k.a. the business hours. When the cybercriminal or cybercriminals think they have enough data, they strike. And they strike with force, preferably when the sysadmins of the target are sleeping, so the attack will most likely go by unnoticed.When the attack procedure is started, the malware starts encrypting all files and documents on all systems it can find on the network. Now the malware becomes ransomware. Imagine the look on the face of a sysadmin logging into a server the other morning to perform routine checks. Staring at a screen explaining all files are locked and you have 7 days to pay the ransom money or else….From 2015 till present, SamSam made ‘improvements’ and you can see that in the following timeline: SamSam ransomware

How does SamSam work?

According to Sophos, the modus operandi consists out of 6 steps:

Target identification and acquistion
Penetrating the network
Elevating privileges
Scanning the network for target computers
Deploying and executing the ransomware
Awaiting payment

The cybercriminal or cybercriminals behind SamSam may have used Shodan. Why? Because picking a target is easy if it presents itself on a silver platter: SamSam ransomware

Step 2 is penetrating the network once they picked a target. They fire brute force RDP logins towards hosts in the hope they will get a successful login at some point. Once they have made their way in, the goal is to achieve elevate privileges for the account that is brute force. This is where the tool Mimikatz comes into play; Mimikatz can fetch credentials from the memory of a system. So once a sysadmin logs in, Mimikatz goes to work and fetches the admin credentials and now the cybercriminals are ready to p0wn the environment. The rest of the steps is pretty much self-explanatory.

Can you defend your organization for SamSam?

Yes, you can. Sophos actually gives a lot of good tips for defending against SamSam or any malware/ransomware that looks like SamSam. Basically, it comes down to closing the 3389 port for RDP on systems that are connected to the internet. If RDP should be possible, make sure sysadmins use a VPN to connect to systems with RDP.Backups are very important. In a blog from Trend Micro, the following backup strategy is advised:

The overall advice would be to have an excellent Disaster Recovery Plan (DRP) in place that you can get from the shelf when an attack like SamSam ransomware takes place.Here the Sophos report with tips how to defend against SamSam ransomware or ransomware similar to SamSam invades your IT environment: