The SamSam ransomware has affected far more victims than initially thought – raising nearly $6 million and counting in ransom demands. According to Sophos’ research of the SamSam ransomware, it’s estimated that roughly 233 victims have paid a ransom to the attackers so far.
Sophos has uncovered new details about the SamSam ransomware, focusing on how it works and how it’s evolving. Most ransomware is spread out in large, untargeted spam campaigns sent to thousands of people. These attacks use simple techniques to infect victims, raising money through large numbers of relatively small ransom requests. SamSam, on the other hand, is used in specific, targeted attacks.
SamSam attackers break into a specific victim’s network and then run the malware manually. These attacks are tailored to cause maximum damage, with ransom demands in the tens of thousands of dollars – the largest individual victim so far shelled out $64,000.
Although initially thought to specifically target healthcare, government and education sectors, the Sophos report indicates that the private sector has been equally attacked. However, victims in the private sector have been more reluctant to come forward.
Sophos noted that SamSam attackers carefully choose their time to strike, typically launching the encryption commands in the middle of the night or the early hours of the morning, when most administrators would be unaware of the intruding activity. In doing this, the attacker can continue to work around defenses and gain their desired access.
Once the attack has been launched, the attacker waits to see if the victim makes contact via a Dark Web payment site referenced in the ransom note.
Ransom demands have increased over time.
Sophos identified six stages of a SamSam ransomware attack:
- Target identification and acquisition.
- Penetrating the network.
- Elevating privileges.
- Scanning the network for target computers.
- Deploying and executing the ransomware.
- Awaiting payment.
“The attacker gives the victim roughly seven days to pay the ransom, although, for an additional cost, this time can be extended,” the report cautioned.
It appears that SamSam’s targets are chosen based on their perceived vulnerability. The best defense against a ransomware attack, including SamSam, is to adopt a layered, in-depth approach to cybersecurity.
Monitor your organization’s patching and maintain good password practices. Your organization’s security can then be strengthened significantly with these steps.
- Restrict Remote Desktop Protocol (RDP) access to staff connecting over a VPN.
- Use multi-factor authentication for all remote access and sensitive internal systems.
- Complete regular vulnerability scans and penetration tests.
- Keep backups offline and offsite.