The ongoing SamSam ransomware campaign responsible for recently infecting the US city of Atlanta, the Colorado Department of Transportation and an array of health care organisations represents an emerging operational model for malicious cryptors, according to researchers at Sophos.
"Instead of blasting out one copy of the malware to thousands of potential victims over a day or two, the crooks blast thousands of copies of the malware onto computers inside a single organisation, pretty much all at once," the IT security company explains in a 27 April blog post authored by senior technologist Paul Ducklin. "And then, almost casually, they offer a 'volume discount' to fix the entire company in one fell swoop."
Forgoing conventional "spray and pray" strategies often associated with spamming campaigns, this strategy instead allows adversaries to launch pervasive and highly debilitating attacks against specific organisations exposed by vulnerabilities or weak credentials, and then charge them prohibitive sums.
In lieu of spam, the SamSam attackers exploit unknown bugs and conduct brute-force attacks against the Remote Desktop Protocol to gain unauthorised network access and infect victims, Sophos explains in a new technical report by threat researcher Dorka Palotay and global malware escalations manager Peter Mackenzie. Then they spread SamSam to additional connected systems by means of network mapping and credential theft, manually deploying the ransomware with tools like PSEXEC and batch (BAT) scripts.
For instance, the technical report references one SamSam sample that includes a BAT file that allows the cyber-criminals to customise the ransom price in Bitcoin for each individual attack. The sample gives victims the option of paying roughly US$ 7,200 (£5,263) per infected PC to decrypt them on an "a la carte" basis, or about US$ 45,000 (£32,894) to "buy in bulk" and decrypt the entire organisation all at once.
Bitcoin prices are constantly adjusted according to current conversion rates in order to maintain prices at these levels, states Sophos. Since switching Bitcoin wallet addresses in mid-January, this SamSam variant has received 23 payments, earning a total income of 68.1 BTC, or close to US$ 628,000 (£459,055) as of 30 April. "Most of the victims have decided to pay the full price," the report states.
In January 2018, Cisco Systems' Talos research division reported on a relatively new SamSam technique whereby a loader mechanisms called runner executes and decrypts an encrypted version of the ransomware payload. Since then, Sophos has discovered an evolution in the runner component: "The interesting change in the runner component is that the decryption function, used to decrypt the payload, is no longer located inside the executable but rather in a separate DLL file," the report stated.