1/ The threat actors behind the #SamSam ransomware, now identified by the FBI in an indictment publicized today, pioneered a very specific playbook in their attacks that has inspired a rash of copycats.
Here's a thread that explains their TTP (tactics, techniques & procedures):
Here's a thread that explains their TTP (tactics, techniques & procedures):
2/ In July, we published a report that goes into great detail about the #SamSam TTP, so if this is of interest to you, maybe check it out:
sophos.com/en-us/medialib…
What follows is a summary of some of what we covered in the report
sophos.com/en-us/medialib…
What follows is a summary of some of what we covered in the report
3/ The #SamSam attackers started by conducting surveillance of the victims. They wanted to know if the victims had sufficiently deep pockets to pay the ransom, which over time averaged out to the mid-$30,000 as Bitcoin exchange rates fluctuated.
4/ In fact, the surveillance may have used a number of freely available tools, but the primary motive seems to be whether the victims were based in the "Anglosphere" (English-speaking world, but primarily in the US) and had money.
5/ The attackers relied on "low-hanging fruit" to break in to networks. Most attacks begin with the attackers brute-forcing passwords for Windows machines that have Remote Desktop Protocol (RDP) exposed through a hole in the firewall.
If you have RDP open, please close it now.
If you have RDP open, please close it now.
6/ Some early attacks began with exploits against vulnerabilities in a service called JBOSS. The attackers use a tool called JexBoss.
An IoC of this type of attack is the file jbossass.war (MD5: CBDEAF83F58A64B09DF58B94063E0146)
This method quickly fell out of favor to RDP
An IoC of this type of attack is the file jbossass.war (MD5: CBDEAF83F58A64B09DF58B94063E0146)
This method quickly fell out of favor to RDP
7/ Once the #SamSam attackers gained a foothold in the network, they used a variety of grey-hat and systems administrator tools to escalate their own privileges. The goal: Obtain Domain Administrator credentials, usually by sniffing for them using Mimikatz.
8/ As soon as they had the Domain Administrator password, the #SamSam attackers took control of the Domain Controller. They leveraged the DC to distribute the ransomware to every machine on the network, but they didn't do it right away. They did tests first, before deployment
9/ Using Microsoft's free tool PsExec, the attackers pushed ransomware to every machine they could reach from the DC, all at once.
They waited until late at night, over weekends, or holidays to launch the attack, when the fewest people might notice before it was too late.
They waited until late at night, over weekends, or holidays to launch the attack, when the fewest people might notice before it was too late.
10/ To make it hard for security experts to analyze the malware, they built samples unique to each victim organization, and executed them using a batch file that decrypted the payload with a password they changed for each attack.
11/ The #SamSam ransomware pushed the limits for efficiency, too. It encrypted the most important files first, and then EVERYTHING ELSE that wasn't essential to keeping the machine running.
You couldn't just restore from backups. You needed to reimage the disk first. Pure evil.
You couldn't just restore from backups. You needed to reimage the disk first. Pure evil.
12/ Faced with a prospect of, perhaps, weeks of downtime and painstaking recovery, it's not surprising many victims opted to pay the #SamSam attackers. For many, it was a matter of organizational survival, though a costly one.
13/ Every victim was provided with a unique .onion address on the dark web. At the other end, there was a kind of chat system where the victim interacted directly with the #SamSam attackers.
These disappeared as soon as the victim paid. Only a few screenshots exist. Here's one:
These disappeared as soon as the victim paid. Only a few screenshots exist. Here's one:
14/ We tracked Bitcoin payments to a small number of wallets. The cryptocurrency was then "tumbled" to obfuscate its origin and destination.
We traced many of these back to their origins and found something quite interesting
We traced many of these back to their origins and found something quite interesting
15/ While many victims, including the City of Atlanta, openly admitted they had been targeted by #SamSam, more than half of the paying victims never made any kind of public announcement at all.
All these "silent victims" were large businesses.
All these "silent victims" were large businesses.
16/ It's also clear that the #SamSam attackers had a single country primarily in their crosshairs, once you correlate the victim organizations' location.
Now that we know who the attackers were, the motivation seems kind of obvious
Now that we know who the attackers were, the motivation seems kind of obvious
17/ Today's news about the FBI identifying and indicting the #SamSam threat actors makes us happy, but it doesn't mean the case is closed. Far from it, in fact.
Nobody's been arrested, and there is still a lot of low-hanging fruit out there.
Nobody's been arrested, and there is still a lot of low-hanging fruit out there.
18/ Worse, several other threat groups have picked up on this modus operandi, and are mimicking the #SamSam technique to spread ransomware. These white-glove, hand delivered, targeted attacks are still going on.
19/ So, we all have a lot of work to do. This fight is only entering the next phase. Close those RDP ports! Patch your old boxes! At the very least, pick your low hanging fruit and make some fruit salad!
20/ We'll be covering the rise of targeted ransomware and its aftermath in our labs blog, SophosLabs Uncut. Join us as we fight this scourge! (end)
news.sophos.com/en-us/2018/07/…
news.sophos.com/en-us/2018/07/…
