SamSam ransomware shifts towards targeting carefully selected companies with pervasive attacks

The attackers behind the notorious SamSam ransomware seems to be shifting tactics from widespread spam campaigns towards more targeted, whole-company attacks. According to Sophos researchers, the operators of SamSam are taking "the malware road less traveled" and are now inundating carefully selected organizations with thousands of copies of the ransomware.

SamSam leverages various vulnerability exploits, rather than phishing or spam as in other ransomware, to gain access to a specific organization. Other methods used include brute-force tactics against weak Remote Desktop Protocol (RDP) passwords.

"After successfully infecting a host, SamSam seeks out additional victims by network mapping and stealing credentials," researchers noted in an in-depth report. "Once the potential targets are discovered, the attackers manually deploy SamSam on the selected systems using tools like PSEXEC and batch scripts."

Under the new mode of operation, the attacks blast thousands of copies of the malware onto computers within a single organization at once. Once infected and gaining foothold within the entity, they offer a "volume discount" to fix the entire company at one go. They also specify a price per host as well, offering victims the option to pay per host if they only want to restore a few machines. To do so, users can send the specific host names to the attackers to restore them.

According to Sophos, the volume discount amounts to about $45,000 worth of Bitcoin at current exchange rates.

“We don’t know why the price is $45,000,” Sophos researcher Paul Ducklin said. “For all we know, that number was picked because it’s below certain reporting thresholds, or because the crooks want to pick the highest value they dare without getting into corporate board-level approval territory. All we can say is that $45,000 is a lot of money.”

The new variant discovered by Sophos has minor modifications from the previous one discovered by Cisco Talos in January 2018.

"The interesting change in the runner component is that the decryption function, used to decrypt the payload, is no longer located inside the executable but rather in a separate DLL file," researchers said. "The DLL is referenced in the .NET executable and the decryption function is called from that. The AES key and IV for decryption will be derived from the password provided by the attackers.

"To increase the chances of a successful attack, the attacker deploys two versions of the runner and the corresponding DLLs. If the first attack was unsuccessful, then they start a new attack using a modified version of the .exe file, which contains garbage code."

In January, the attackers' Bitcoin wallet address received 30.4 BTC. In mid-January, they switched to a different Bitcoin wallet address and have received 23 payments since then amounting to 68.1 BTC ($621,462 at the current exchange rate) from victims - most of whom decided to pay the full price.

The attackers were also found to give volume discounts to some victims to recover part of their encrypted system files.

A recent incident in the city of Atlanta, Georgia, involving the SamSam ransomware saw the complete shutdown of online systems supporting the police department, city courts, and parts of the airport.