SamSam Ransomware: A brief look into the infamous ransomware’s massive attacks
- Cybercriminals behind the SamSam Ransomware have made almost $6 million as ransom so far by demanding over $50,000 from each victim.
- Almost 74% of SamSam Ransomware’s victims reside in the US, while others reside in UK, Canada, and the Middle East.
SamSam Ransomware, also known as Samas, and SamSamCrypt was first released in late 2015 by a hacker group. The later versions of the ransomware were released in June and October 2017. On November 28, 2018, The United States Department of Justice indicted two men responsible for various Samsam attacks.
They are Faramarz Shahi Shavandi and Mohammad Mehdi Shah Mansouri, residents of Iran. They are responsible for various SamSam ransomware attacks including the 34-month long hacking and extortion scheme which impacted over 200 organizations in the US and Canada.
Shavandi and Mansouri, the threat actors behind SamSam Ransomware have made almost $6 million ransom amount till date and have caused over $30 million losses to more than 200 victims as a result of the attacks.
“The Iranian defendants allegedly used hacking and malware to cause more than $30 million in losses to more than 200 victims,” said Deputy Attorney General Rosenstein. “According to the indictment, the hackers infiltrated computer systems in 10 states and Canada and then demanded payment. The criminal activity harmed state agencies, city governments, hospitals, and countless innocent victims.”
SamSam Ransomware attacks
The duo were responsible for various massive attacks involving the SamSam Ransomware from which almost 74% of the victims reside in the US, while others reside in UK, Canada, and the Middle East.
The victims of SamSam Ransomware attacks included the City of Atlanta, the City of Newark, the Port of San Diego, the Colorado Department of Transportation, and the University of Calgary in Calgary.
The SamSam Ransomware also attacked hospitals and healthcare centers such as Hollywood Presbyterian Medical Center, Kansas Heart Hospital, Laboratory Corporation of America Holdings, MedStar Health, Nebraska Orthopedic Hospital, and Allscripts Healthcare Solutions Inc.
Unlike other ransomware attacks which propagate via spearphishing emails, SamSam ransomware uses remote desktop protocol (RDP) to compromise the target devices via either brute force attacks on networks or by using stolen credentials purchased on underground forums. The ransomware was also spotted using the leaked NSA exploit EternalBlue to distribute across networks.
Moreover, the ransomware is designed in such a way that in addition to encrypting files across target networks, it further targets backups in order to ensure that victims are left with no option other than to pay the ransom.
The SamSam Ransomware attack does not involve any computer worms or viruses. It solely depends on its manual procedure.
- The malware authors make use of various built-in Windows tools in order to escalate their own privileges and scan the network of high-profile targets.
- They search for credentials whose privileges will allow the attackers to copy their ransomware payload to every machine.
- Then, the attackers distribute the payload laterally across the network.
- Later, the ransomware will encrypt the files across the network.
The ransomware has the capability to break into two different variants of SamSam on the networks so that if one fails, there is the chance for the other variant to succeed.
Dick O'Brien, Threat Researcher at Symantec told ZDNet, “They have the capability to break into networks and use multiple tools to map the network, steal passwords and, ultimately, run ransomware on a large number of machines.”
Recommendations from researchers
To defend against Samsam attacks, security researchers provide several recommendations including:
- Organizations should restrict access to public ports as SamSam ransomware uses remote desktop protocol (RDP) to attack its targets which relies on open ports.
- Organizations are recommended to enforce default passwords and two-factor authentication on all the critical systems.
- They are further recommended to create backups which are offline and offsite so that there is a means of restoring critical data without paying ransom in case of an attack.