Please forgive me, I can't stop robbing you: SamSam ransomware earns handlers $5.9m
The enterprise-focused SamSam ransomware has earned its handlers an estimated $5.9m (£4.5m) since it first appeared in the wild in December 2015.
Security software firm Sophos worked with Neutrino to arrive at the estimate, which is based on tracking Bitcoin addresses supplied on ransom notes and sample files.
Over the last two-and-a-half years SamSam has significantly affected the operations of some large organisations, including hospitals, schools and cities.
Sophos has determined that about three in four (74 per cent) of the known victims are based in the US. Other regions known to have suffered attacks include Canada, the UK, and the Middle East.
Although the most infamous SamSam victim was the city of Atlanta in March, disruptive attacks on medical practice management software provider Allscripts as well as Hancock Health hospital in Indiana have also been recorded.
"Many victims found that they could not recover sufficiently or quickly enough to ensure business continuity on their own, and reluctantly paid the ransom," Sophos said.
The SamSam attacker has received ransoms as high as $64,000, based on analysis of payments to tracked Bitcoin wallets. The charges have increased dramatically, and the tempo of attacks shows no sign of slowing down.
Sophos has been investigating the SamSam campaign since its emergence. A study (PDF) based on this research – released on Tuesday – summarises its findings about the attacker's tools, techniques and protocols.
The attack method is surprisingly manual, and more cat burglar than smash-and-grab, according to Sophos. As a result, the attacker can employ countermeasures (if needed), and is adept at evading many security tools. If the process of encrypting data is interrupted, the malware comprehensively deletes all trace of itself.
Many attacks begin with a Remote Desktop compromise of a machine inside the network. The attacker is also known to deploy exploits at vulnerable machines to perform remote code execution. The attacker maintains a presence on the compromised machine while scanning the internal network.
The hacker or hackers behind the attack harness conventional open-source and commercial tools normally used for systems administration or penetration testing to steal passwords, move ransomware installers to Domain Administrator machines, and push the ransomware to connected workstations.
Unlike many ransomware attacks, SamSam infections do not originate in a conventional malicious spam or drive-by download attack. Each attack is a manual break-in of a targeted network, Sophos said.
Once the malware can scan the internal network and compile a list of potential victims, the hacker waits until the middle of the night in the victim's time zone before executing the attack – a command to distribute the malware and begin encrypting compromised machines.
SamSam is a particularly thorough encryption tool, rendering not only work data files unusable but also configuration and data files required to run applications (e.g. Microsoft Office), most of which are not routinely backed up.
As a result, recovery may require re-imaging and/or reinstalling software as well as restoring backups.
"The attacker is very good at covering their tracks and appears to be growing increasingly paranoid (or experienced) as time passes, gradually adding more security features into his tools and websites," Sophos reported.
The researchers estimate that the attacker earned an average of just under $300,000 (£228,000) per month in 2018. Payment is in Bitcoin. Once full payment has been received, the hacker moves the cryptocurrency into a system of tumblers and mixers which attempt to launder the source of the Bitcoin through myriad micro-transactions.
Recent ransom notes have taken an apologetic, almost contrite tone, with one file named SORRY-FOR-FILES.html and an extension of .weapologize on every encrypted file.
Defences against the malware include regular backups, multi-factor authentication and restricted access to port 3389 (RDP). These and other countermeasures are explained in a post on Sophos's Naked Security blog. ®