SaMSaM Held Atlanta Ransom. Who’s Next?

Image Source: SOPHOSLABS 2019 THREAT REPORT

Image Source: SOPHOSLABS 2019 THREAT REPORT

We’ve written quite a bit about municipalities large and small (think Atlanta, GA and Batavia, IL) becoming the focus of hackers and cybercriminals. Today we’ll shed a little more light on the malware that brought Atlanta to its knees in March.
SaMSaM for Ransom
Dubbed SaMSaM, researchers at Sophos have dedicated a portion of their SOPHOSLABS 2019 THREAT REPORT to this highly profitable group of malware maestros. Sophos describes SamSam’s highly personalized, hi-touch ransomware attacks as being akin to a “cat burglar” as opposed to the more “smash and grab” approach of automated ransomware attacks that utilize commodity ransomware such as GandCrab.

The Advantages of Being Hands-On
Rather than relying on automation to rapidly attack hundreds of systems at once and hoping that some sort of exploitable vulnerability surfaces, for nearly 3 years SamSam has applied an old school hands-on approach to infiltration and infection. It typically begins by brute-forcing RDP passwords, which ultimately leads to harvesting domain admin credentials. With these credentials in hand SamSam then waits for just the right moment, say Friday evening on a holiday weekend to strike – pushing out the malware to as many machines as possible simultaneously
This hi-touch, cat burglar approach has allowed SamSam to focus on vulnerable targets with deep pockets and has yielded known ransom payments totaling $6.5 Million USD in a little under 3 years.
Imitation is the Sincerest Form of Flattery
Even though the mysterious folks behind SamSam do not appear to collaborate, or even brag in forums, their high value exploits have not gone unnoticed and several impersonators have spawned such as the ultra-high ransom group BitPaymer which reportedly charges ransoms in the $50,000 to $1MM dollar range.
Konsultek’s Recommendation – Rein in RDP and Get the Fundamentals Locked Down
Since many of the worst manual ransomware attacks have relied upon Windows Remote Desktop as a point of entry it stands to reason making sure you have this potential avenue of ingress secured should be a top priority. Once this basic vulnerability is secured you should also make sure that your team is practicing good password management and keeping systems up to date and patched. Even the most sophisticated security solutions will be hamstrung if sloppy network hygiene virtually invites hackers in!
If you’d like a free visibility report to potential problems mentioned in this blog, please contact us immediately.

© Copyright 2018 Konsultek