What Is SamSam Ransomware and How to Protect Your Organization Against It

SamSam Ransomware

SamSam is a ransomware family that's been around since 2015. It has all the classic characteristics for an operation of this sort: crooks sneak the malicious program into a Windows computer, encrypt the victim's files, and then ask for a ransom to release the data. There's nothing revolutionary or ground-breaking. What, then, sets SamSam apart?

Strong encryption

Believe it or not, it's not that difficult to launch a ransomware campaign these days. In fact, it's so easy that plenty of people who don't know much about computers are doing it. There are publicly available ransomware families that, unfortunately, are far too easy to come by, modify, and use on a number of innocent people. The good news is, lots of these open-source projects are not very good at what they're designed to do. Sometimes, they use an encryption algorithm that's relatively easy to crack; sometimes, the encryption key is left in plain form on the victim's computer; and sometimes, the same key is used for all victims. As a result, it is often possible to recover the information without paying the ransom or even restoring from a backup.

Not so with SamSam, unfortunately. When it lands on a computer, it first encrypts the files using the Rijndael cipher. Rijndael acted as the foundation of the Advanced Encryption Standard – one of the most robust encryption algorithms in the world. If you have the Rijndael key, however, you can reverse the encryption. That's why, after scrambling the data, SamSam uses RSA 2048 to encrypt the Rijndael key itself.

RSA is named after Ron Rivest, Adi Shamir, and Leonard Adleman, the scientists that invented the asymmetric cryptosystem. It's asymmetric because it uses one (public) key to encrypt the data, and another (private) key to decrypt it. Needless to say, when the SamSam crooks attack, they hold the private key that decrypts the Rijndael key, which, in turn, decrypts the files. If you have no backups, you have no other options but to pay the ransom or kiss your data goodbye.

The SamSam operators aren't interested in your files

Unlike many other ransomware gangs that hope to scare you out of your money by promising that you'll never see your family photos again, the SamSam crew are aiming for organizations where the inevitable outage affects a large number of people.

The SamSam ransomware has actually caused more than a few major security incidents with big and small organizations over the last two and a half years. Since the beginning of the year alone, it has been responsible for outages at Allscripts, an electronic health record provider, the Adams Memorial and Hancock Health hospitals in Indiana, the City of Atlanta, and more recently, LabCorp.

The attacks are well thought through, and as you can see, although we've seen them target local governments as well, the SamSam gang are often after healthcare organizations. The reason for this is simple – hospitals and healthcare organizations are responsible for handling some extremely sensitive information, and without it, they simply can't sustain any sort of operation. This means that when SamSam locks this data, the crooks can demand more money.

Indeed, SamSam usually sneaks its way to most of the computers on the victim's network, and the crooks demand several thousand dollars for the decryption of one PC, and several tens of thousands of dollars for bringing the entire network back to normal. In March, CSO calculated that in a matter of just a few months, the SamSam gang managed to pocket about $850 thousand worth of bitcoins (at the then current price). It's a significant, and, by the looks of things, rather profitable business. The criminals are unlikely to give up on it anytime soon.

Infection vectors

The cheapest and easiest way to infiltrate a computer network is to trick a user into executing a file or clicking on a link. That's why, the so-called malspam emails and Office Macros are so popular with cybercrooks. It's a "spray and pray" tactic. The SamSam operators don't do "spray and pray."

Evidence suggests that they carefully plan their attacks and perform some reconnaissance before they launch them. The infection vectors vary from attack to attack, but more often than not, the SamSam gang break in either by exploiting unpatched vulnerabilities in public facing network components or by brute-forcing usernames and passwords for the remote desktop protocol (or RDP).

This means that protecting your organization against SamSam is not as easy as following a few steps. If there is a weak spot in your systems, the SamSam operators will find it, and they won't be afraid to use it. The only real way of protecting yourself is to keep fresh and working backups, review all your security and password policies, secure every component you can think of, and stay vigilant.

July 25, 2018

Leave a Reply