SamSam Ransomware Analysis
SamSam’s actors have attacked several businesses, including those in vital infrastructure. The victims were primarily based in the United States, but also abroad. Network-wide infections towards companies are much more likely to produce significant ransom payments than infections of individual systems. Organizations that provide essential services have a pressing need to restart functions rapidly and are more inclined to pay greater ransoms.
SamSam ransomware is a narrowly transmitted ransomware type. This was first recorded in 2016 and has since undergone three updates to the new V3 currently in operation. SamSam attacks typically larger companies, intends to rapidly cripple a corporation and compel them to pay a reasonably high ransom fee.
SamSam Attack Anatomy
SamSam attacks adopt a fairly straightforward pattern, generally consisting of the following six steps.
Step 1: Target identification and acquisition
The first component, how the intruder identifies specific entities, is unclear. They might be purchasing lists of insecure servers from other hackers on the dark web, or simply using publicly accessible search engines like Shodan or Censys. What is obvious is that they prefer to hit medium to large companies, primarily located in the United States.
The second element, the acquisition, is pretty straightforward. Once the attacks began in 2016, it became understood that they were leveraging vulnerabilities in JBOSS systems to obtain privileges that would enable them to copy ransomware to the network. Evermore, the person or people behind the SamSam attacks are finding better results in obtaining network access through the brute-forcing Windows RDP accounts.
The attackers focused their efforts, in the latest SamSam attacks, on brute-forcing weak passwords on computers accessible over the internet via Remote Desktop Protocol (RDP). Although some may consider this surprising, a quick search on Shodan would show thousands of open IP addresses over port 3389, the standard RDP port.
Although it has been observed that the attacker utilizes a mix of RDP and exploits to access the targeted networks, the attacker sometimes gains access to a domain user account via RDP. While in the network, the attacker then utilizes a mixture of hacking tools and exploits to expand their privileges to a domain admin account. For some instances, this has been known to take days, as the intruder waits for a domain admin to log in. The infected computer runs Mimikatz, a credential extraction tool, so they’re stolen as soon as a domain administrator logs in.
SamSam has no worm or virus capabilities, unlike other well-known ransomware like WannaCry; it doesn’t propagate independently. Alternatively, the intruder uses legitimate Windows network administration tools like PsExec and the compromised credentials to deploying the malware, as if the ransomware were a legitimate application whose implementation is centrally controlled by the victim’s domain controller.
There are some advantages to that process. As a manual attack, it presents no risk of spreading out of control, drawing unwanted attention. It also enables the intruder to cherry-pick targets and to learn which machines have been encrypted. But first, it has to select the targets.
To achieve so, the attackers use the compromised domain admin credential to gain control of one of the victim’s servers that the attackers use as a command center to handle the whole attack. The attacker launches network scanning tools from this location.
Airgap Defense: Airgap prevents any lateral scanning attempt. If under Zero Trust, an intruder breaches the perimeter controls, compromises a misconfiguration, or bribes an insider, they will have extremely restricted access to sensitive data, and safety measures would be in place to identify and respond to suspicious data access before it becomes a threat.
Once the scanning tool is able to enter the filesystem of a potential victim, a plain text file titled test.txt is written to the C:\Windows\System32 folder of any computer that it can access. Around the same time, the tool generates a list of active, potential-victim machines on the compromised server in a file named alive.txt. Later the attacker utilizes this file .txt file as a target list.
Airgap Defense: Airgap’s Zero Trust Isolation technology blocks any lateral scanning attempt and presents the responses as if none of the members are present on the network.
The chosen deployment tool for the attacker is the Sysinternals PsExec application, which is used by the attacker to copy files throughout the network. In cases where PsExec is blocked, the attacker has been found to use other deployment methods. In one latest incident, they have been seen shifting to a similar tool named PaExec from PowerAdmin.
The below is typical of the SamSam command that activates the attack. It is noteworthy that it needs a password (manually supplied) as an argument given to the batch file which is later used by the attacker to decrypt SamSam ‘s payload:
psexec -accepteula -s \machine-name cmd.exe /c if exist
C:\windows\system32\g04inst.bat start /b g04inst.bat ’<‘PASSWORD’>’
When the attack is initiated, the only thing that’s left for the SamSam threat actor to do is to wait and see if the victim makes contact via the dark website of the attacker, the specifics of which are given to the victim in the ransom note. The attacker offers the survivor generally seven days for paying the ransom, but this period may be prolonged at an extra cost.
About Airgap Networks
Airgap helps implement comprehensive Zero Trust in minutes without the need for agents, APIs, or forklift upgrades. The patent pending Zero Trust Isolation platform assures threat propagation protection. Airgap’s solution can be deployed in minutes, not months. Visit airgap.io to learn more or to schedule a demo.