According to the newest research done by Sophos, SamSam ransomware might be the biggest one so far, gaining almost US $6 million in paid ransoms.
Unlike most of the ransomware, SamSam is quite different as it does not use large, untargeted spam campaigns, but rather targeted attacks by a skilled team or individual that breaks into victims network, causing maximum damage. The fact that it was not used as much as other ransomware, SamSam has managed to keep under the radar since its first appearance in December 2015.
According to the big research paper from Sophos, the SamSam ransomware is deployed in the same way and with the same tools as legitimate software applications. While it was originally believed that SamSam mostly targets the healthcare, government and education sectors, the research suggests otherwise, with the private sector being the primary target.
The same research which was done in cooperation with cryptocurrency monitoring organization Neutrino, Sophos managed to confirm that SamSam has managed to get almost US $6 million in ransom payments, from January 2016 to July 2018.
According to Sophos and in the light of the new research, backing your data might not be enough to protect from SamSam as organizations need a comprehensive plan for rebuilding machines.
The attack starts with the attacker gaining access via RDP (Remote Desktop Protocol) by using software like nlbrute to successfully guess the weak password. While it does not have worm-like or virus capabilities to spread by itself, it is still a big issue as when the attacker is on the network it will push to get the privileges of the Domain Admin, so he can scan the network for valuable targets and deploy and execute the malware as any self-respecting sysadmin might, using utilities such as PsExec or PaExec.
The research also suggests that the ransom demands have increased over time to about US $50,000, which is significantly more than typical ransomware.
The paper also suggests a layered approach to security, as well as restricting RDP access to staff connecting over a VPN, using multi-factor authentication for VPN access and sensitive internal systems, completing regular vulnerability scans and penetration tests, and keeping backups offline and offsite.
You can check out the full post about SamSam over at Sophos’ NakedSecurity site and you can find the research paper, titled “SamSam: The (Almost) Six Million Dollar Ransomware”, over at Sophos’ website.