SamSam Ransomware 101: How It Works and How to Avoid It
SamSam Ransomware Was Released in Late 2015. Here’s What You Should Know About It.
Malware traditionally spreads through nefarious social engineering practices, phishing campaigns, and malicious attachments. In this way, it manages to profit off of users that are not well-versed in matters of cybersecurity. SamSam ransomware takes a different approach, which is exactly what makes it so dangerous.
In this article, I will first go over what SamSam ransomware is, as well as how it works. As always, stay tuned until the end for some actionable advice on how to prevent a SamSam ransomware infection.
What is SamSam Ransomware?
The first known version of SamSam ransomware appeared in late 2015 or early 2016 (depending on what article you read) and was initially presumed to have been released by an Eastern European hacker group. However, two Iranian men have been indicted for related cybercrime in 2018. The name ‘SamSam’ draws from the filename of the earliest discovered sample.
Also known as Samas or SamsamCrypt, the strain targets organizations within multiple industries, including critical infrastructure establishments from the healthcare and public health sectors, the transportation sector, and the education sector. Most victims were located in the United States, but international cases have been reported over time as well in the UK, France, Portugal, Australia, Canada, Israel, and the Middle East.
From the beginning of 2016 to 2018, SamSam ransomware wreaked havoc among its chosen victims. Below, I have comprised a brief list of three major attacks, all of which took place during its final months of registered activity.
Colorado Department of Transportation
Early in the morning of February 21, 2018, the Colorado Department of Transportation (CDOT) fell victim to a SamSam ransomware attack. CDOT employees were the ones to discover the incident when business hours started and they tried logging onto the network.
Devices in the department’s system all displayed the now-infamous ransom note. Hackers had encrypted essential files and demanded a Bitcoin payment in return for remediation. However, CDOT refused to pay the ransom and focused on mitigating the damages. This effort cost the state $1.7 million in total.
Atlanta Local Government
The city of Atlanta reported a massive cyberattack on March 22, 2018. It was later confirmed that SamSam ransomware was responsible for the incident, gaining unlawful entry into the local government network through a brute force attack. The city was then and still is now a very important transportation and economic hub for the state of Georgia and the United States in general.
In the past, SamSam ransomware has been known to target smaller local governments such as that in the town of Farmington, New Mexico. The attack on Atlanta proved to be hugely disruptive to the everyday lives of citizens and employees alike, with services such as utilities, parking, and court being affected in the aftermath of the attack.
A ransom of $51,000 was demanded by operators via Bitcoin. However, Atlanta officials refused to pay and focused on remediation instead. Recovering costs amounted to $2.7 million in both governmental and third-party services.
On November 28 of the same year, two Iranian hackers were convicted for the attack. As per the U.S. Department of Justice, the SamSam cybercrime group was discovered to be based in Iran, rather than Eastern Europe as initially believed.
Indiana’s Allied Physicians of Michiana
On May 17, 2018, SamSam ransomware operators attacked the Indiana-based Allied Physicians of Michiana (APOM). Fortunately, the healthcare provider immediately responded by shutting down its network to protect confidential patient data. As per an official statement issued soon thereafter, the incident was successfully contained.
The year 2018 was a prolific one for SamSam ransomware attacks against the healthcare sector. Earlier, in January, affiliated hackers infected both Hancock Health’s and Allscript’s systems. Healthcare organizations have accounted for one-quarter of SamSam ransomware attack victims in 2018. The reason behind this remains unknown.
How Does SamSam Ransomware Work?
According to an alert issued by the Cybersecurity & Infrastructure Security Agency (CISA) on December 3rd, 2018, the SamSam ransomware gang exploits vulnerabilities in an organization’s Windows servers. In this way, malicious actors gain unlawful access to the company network and infect all accessible hosts.
Early reports on SamSam ransomware dating back to 2016 describe the use of the infamous JexBoss Exploit Kit to get into vulnerable JBoss applications. What is more, an FBI analysis performed in mid-2106 recounts the malicious actors gaining access through the Remote Desktop Protocol (RDP) via stolen credentials or brute force attacks.
As per the FBI, hackers purchased the credentials from Dark Web marketplaces. The targeted networks were attacked within hours of the transaction.
Once the malicious actors behind the operation enter an establishment’s network, they escalate admin rights, drop the malware, and run an executable file. This technique differs from that of other ransomware operators who rely on the victims to open an attachment or infected application. SamSam ransomware propagates through the RDP with little to no interaction from its targets.
SamSam Ransomware Ransom Note
Once the encryption process is completed, the malicious actors leave a ransom note onto the infected devices containing instructions on how to contact them on a Tor hidden service site. It reads as follows, on the authority of a detailed examination penned by computer security researcher Christopher Boyd for Malwarebytes Labs:
What happened to your files?
All your files encrypted with RSA-2048 encryption, for more information search in Google “RSA encryption”
How to recover files?
RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key.
How to get private key?
You can get your private key in 3 easy steps:
1) You must send us 0.8 Bitcoin for each affected PC or 4.5 Bitcoins to receive all private keys for all affected PCs.
2) After you send us 0.8 Bitcoin, leave a comment on our site with this detail: just write your host name in your comment
3) We will reply to your comment with a decryption software, you should run it on your affected PC and all encrypted files will be recovered
With buying the first key you will find that we are honest
A Bitcoin payment is requested there in exchange for the files that are held hostage. If the payment is completed, victims sometimes receive victims download links for cryptographic keys or other decryption tools. However, there is no guarantee that this part of the agreement will be respected in every case.
SamSam Ransomware Technical Details
In terms of technical details, CISA lists four SamSam ransomware variants as per Malware Analysis Reports provided by the National Cybersecurity and Communications Integration Center (NCCIC).
- MAR-10219351.r1.v2 – SamSam variant 1
- MAR-10166283.r1.v1 – SamSam variant 2
- MAR-10158513.r1.v1 – SamSam variant 3
- MAR-10164494.r1.v1 – SamSam variant 4
While this catalog is by no means a comprehensive one, it is a viable starting point in understanding how to identify a SamSam ransomware infection.
Is SamSam Ransomware Still Active?
While experts still had discussions on SamSam ransomware in 2019 and 2020, mid to late 2018 seems to be the last year with publicly reported attacks linked to the strain. However, deeming it an inactive threat would be a mistake. After all, there is no news of its eradication and no decryption tool for the strain has been made public as of yet.
The arrest of the two Iranian hackers associated with the cybercrime operation seems to have been the terminus as far as incidents are concerned. Still, there is no guarantee that SamSam has stopped entirely. Therefore, it’s best to consider the ransomware still active at this point. Nevertheless, decryption might be possible in the future. Check out Project No More Ransom’s list of decryption tools, as well as Heimdal Security’s article on the topic.
How to Prevent a SamSam Ransomware Attack
#1 Audit Remote Desktop Protocol Systems
As previously mentioned, SamSam ransomware spreads through exposed RDP connections rather than malicious attachments and phishing campaigns. Therefore, the human error factor is not to blame here, but rather system vulnerabilities. For this reason, performing a complete audit of systems that use the Remote Desktop Protocol is a requirement in the prevention process.
After identifying potential entry points into your network, you can either choose to disable the RDP connection or patch its vulnerabilities. The latter means installing the latest system updates as soon as they are released by developers.
This is made easy by the Heimdal™ Patch & Asset Management software in our Heimdal™ Threat Prevention. An automatic updater, XPR installs updates from third-party vendors based on your pre-configured policies. There is no need for manual input, which streamlines the process and saves your employees and system admins a great deal of time and resources in the process.
Heimdal™ Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
What is more, the DarkLayer Guard™ and VectorN Detection DNS traffic threat hunting module contained within our core offering pursues and detects ransomware, malware, and other APTs. This has earned Heimdal™ Threat Prevention the award of Anti-Advanced Persistent Threat (APT) Solution of the Year 2020 at the annual Computing Security awards.
#2 Practice the Principle of Least Privilege
After breaching your organization’s network through unprotected RDP ports, SamSam ransomware elevates admin rights so it can maximize the amount of damage it inflicts. For this reason, practicing the principle of least privilege within your enterprise is vital for a successful prevention strategy.
The principle of least privilege as far as user accounts are concerned consists of limiting access rights to the minimum that is required for employees to perform their tasks. This means that your entire network won’t go down in flames when a single account is breached. However, it also implies that your system administrator will have their hands full with escalation and de-escalation requests.
Our Heimdal™ Privileged Access Management was specifically designed to help your network administrator manage user permissions easily. Its accessible interface allows sysadmins to efficiently handle all requests on the go, strengthening your endpoint security in the process. What is more, it is the only PAM solution on the market that provides automatic de-escalation when a threat is detected when used in tandem with our suite of cybersecurity tools.
Heimdal™ Privileged Access Management
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
#3 Implement a Password Hygiene Policy
Strong passwords that are changed often and at random are the surest way to limit the triumph of brute force attacks, as well as potentially render stolen credentials obsolete. Hence, implementing a companywide password hygiene policy is essential for the cyber-wellbeing of any establishment.
A strong password should contain:
- lowercase letters,
- uppercase letters,
What is more, I recommend that your password hygiene policy warns against these common credential mistakes:
- reusing the same password,
- sharing passwords,
- skipping multi-factor authentication,
- storing passwords in plain text documents,
- or not using a password manager.
SamSam ransomware might not be dead just yet. In this day and age, where cyber-threats lurk in the dark corners of the Internet, staying protect should be your organization’s top priority. You can contact us over at firstname.lastname@example.org and book a free cybersecurity consultation to find out where you stand.