Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development , Ransomware

SamSam Ransomware Offers Volume Decryption Discount

Crypto-Locking Malware Gold Rush May Be Over, But Threat Remains
SamSam Ransomware Offers Volume Decryption Discount
Ransom note left by recent SamSam infections. (Source: Cisco Talos)

Given a choice, few cybercriminals will try to reinvent the wheel. Instead, in their push to reap maximum reward for minimum risk or effort, they'll just keep finding new ways to use it (see Cryptocurrency Theft: Hackers Repurpose Old Tricks).

See Also: OnDemand | Adversary Analysis of Ransomware Trends

So despite the headlines about bitcoin exchanges heists and cryptojacking - malware that turns endpoints into miners designed to computationally generate bitcoins, ether, monero and other cryptocurrency - when it comes to generating illicit profits, ransomware remains alive and well.

"As often happens in the world of cybercrime, old threats stay with us for ages, and new threats simply add themselves to the mix rather than taking over," Paul Ducklin, a security researcher at anti-virus firm Sophos, says in a blog post.

The number of unique ransomware families or unique variants seen per year. (Source: F-Secure)

Some ransomware attackers have been refining their efforts by focusing on high-value targets that they think are more likely to pay large ransoms.

"Ransomware campaigns have historically been opportunistic in nature, infecting anyone they can via spam emails, exploit kits and malvertising," according to a new ransomware report from Finnish security firm F-Secure.

"But many cybercriminals are becoming more selective in their targets, and tailor their techniques to infect businesses or other organizations," it says. "Targeting organizations is fairly lucrative compared to infecting individual users because ransoms are typically set per device."

SamSam Targets Organizations

That tactic has been seen in particular with whoever is behind SamSam ransomware, which has been tied to at least eight outbreaks in the United States this year, triggering an alert from the cybersecurity center at the U.S. Department of Health and Human Services (see HHS Warns of SamSam Ransomware Attacks).

Victims have included electronic health records provider Allscripts, an unnamed industrial control system company - Bleeping Computer has reported - plus two Indiana hospitals, including Hancock Health, as well as the City of Atlanta, among others (see Atlanta's Ransomware Cleanup Costs Hit $2.6 Million).

Instead of attackers using shotgun-like tactics to indiscriminately lob crypto-locking malware at consumers and organizations en masse, Sophos says the SamSam gang at least has been getting much more targeted.

"Instead of blasting out one copy of the malware to thousands of potential victims over a day or two, the crooks blast thousands of copies of the malware onto computers inside a single organization, pretty much all at once ... and then, almost casually, they offer a 'volume discount' to fix the entire company in one fell swoop," Ducklin says.

Ransomware as a Business

SamSam first appeared in 2016 and has continued to get updated.

Early this year, Cisco's Talos security group reported seeing a new variant that was being used, apparently in highly targeted attacks against government, healthcare and industrial control system vendor targets.

"Although the infection vector for the new variant is not yet confirmed, there is a possibility that compromised RDP/VNC servers have played a part in allowing the attackers to obtain an initial foothold," reported Vitor Ventura, a senior security researcher at Cisco Talos, in a January blog post.

Hackers often use brute-force attacks against weak remote desktop protocol or virtual network computing credentials - or purchase those credentials via cybercrime forums - to gain easy access to targeted networks, security experts say. After spending weeks or months exploring breached networks and looking for valuable information, attackers may crypto-lock the systems as the final stage of their attack in an attempt to increase their profits (see Hackers Exploit Weak Remote Desktop Protocol Credentials).

SamSam's Volume Discount for Decryption

SamSam uses a batch - aka BAT - file "for executing the malware and deleting certain components," Dorka Palotay and Peter Mackenzie of SophosLabs write in a new report.

The batch file also allows attackers to set their price points for each attack. In one attack, the price was set at 0.8 bitcoins to unlock individual, crypto-locked hosts, or 5 bitcoins to unlock them all. As of Wednesday, that would work out to $7,300 to unlock an individual system or $46,000 to unlock them all.

In January, Cisco Talos had traced ransom payments totaling at least 30.4 bitcoins - then worth $325,000 - to an attacker-controlled wallet.

Since then, the Sophos researchers say, the SamSam gang appears to have switched to another wallet, which by the end of April recorded ransom payments currently worth about $623,000.

Attackers to Victims: 'We Are Honest'

Many attackers also go out of their way to assure victims that if they pay a ransom, they will receive a decryption key (see Ransomware Gangs Take 'Customer Service' Approach).

SamSam is no exception. "We don't want to damage our reliability," a recent ransom note reads. "We are honest."

To demonstrate their supposedly good intensions, "SamSam adversaries offer free decryption of two files and an additional free key to decrypt one server," according to Cisco Talos.

But attackers also warn that they're not offering any "get out of jail for free" cards. "Once again, SamSam actors show their ability to monitor and laterally move through the network by pointing out they will only provide a key if they believe the server is not an important piece of infrastructure," according to Cisco Talos.

Who's Paying Attackers?

Law enforcement and security experts have long recommended that organizations never pay ransoms, because they directly fund cybercrime, encourage criminals to keep attacking, and can even result in the same victims being crypto-locked and extorted multiple times, once criminals learn of their propensity to pay (see Please Don't Pay Ransoms, FBI Urges).

Defending against ransomware attacks requires preparation, including ensuring that organizations maintain complete, current and easily recoverable backups, stored offline so they cannot be encrypted by ransomware. Many organizations, however, do not appear to focus on these disaster recovery essentials until they have already suffered a ransomware outbreak. In addition, restoration is not an instantaneous process. Organizations that have up-to-date backups still face days or weeks of effort to wipe and restore affected systems, and can see profits - or in the case of healthcare organizations, patient care - suffer in the interim.

So it's no surprise that multiple studies have found that a significant number of ransomware victims do pay a ransom, meaning that infecting PCs and servers with crypto-locking malware appears to remain a lucrative cybercrime endeavor. Indeed, some security experts suggest that ransomware profits for criminals have exceeded the $1 billion mark (see I Believe in Cybercrime Unicorns).

"According to a 2017 study from Australian telecommunications company Telstra, approximately 57 percent of businesses in the Asia-Pacific region dealt with ransomware infections by paying," F-Secure says. "A similar study published in 2016 found that 70 percent of organizations paid. But some estimates are more conservative, with a 2018 survey finding that only about 40 percent of companies paid the ransom - with only about half of those getting their data back."

SamSam has also been seeing profits from its ransomware efforts. In January, Hancock Health reported that it had paid the gang 4 bitcoins, worth about $55,000 at the time, to receive a decryption key that did enable it to unlock its crypto-locked systems.

Ransomware: 577 Families and Counting

But SamSam is only one of an ever-increasing number of ransomware families being seen in the wild (see Crypto-Locking Ransomware Attacks Spike).

Top ransomware families per year based on infection volume. (Source: F-Secure)

In 2016, ID Ransomware - a site that allows victims to upload a ransom note or encrypted file to identify the ransomware that crypto-locked them - counted more than 200 ransomware families.

By the start of this year, that figure had more than doubled (see Ransomware Outlook: 542 Crypto-Lockers and Counting).

And as of Wednesday, the count now stands at 577 ransomware families.

The ID Ransomware site now counts 577 types of ransomware, of which there can be numerous variants.

Michael Gillespie, the self-described "ransomware hunter" behind ID Ransomware, told Information Security Media Group earlier this year that his count of new ransomware appears to be slowing, although new variants are still emerging at an appreciable rate.

"I'd say it has been slowing down a little, just because I don't add every little in-dev thing we spot anymore," he said. For example, "the number displayed on IDR actually doesn't include all the little strains of HiddenTear - they are all identified just under 'HiddenTear.' I only separate off a HiddenTear-based ransomware if it's something really unique."

Hidden Tear is open source, proof-of-concept ransomware published to GitHub by Turkish programmer Utku Sen in August 2015. Sen said his intentions were educational, and ever since then, attackers have been using it to school victims (see Ransomware Gets Pokémon Go Treatment).

Low Barriers to Entry

But Hidden Tear is just one of many different options. Thanks to the effectiveness of ransomware at generating profits, anyone who wants to use it to generate illicit profits can tap one of numerous options now available via cybercrime forums (see Want to Get Into Ransomware? This Kit Costs Just $175).

One reason ransomware development has increased so dramatically - in addition to its popularity - is the degree of support it's received from cybercriminals, F-Secure says. "The availability of ransomware-as-a-service offerings, such as Cerber and Satan, and open source projects, such as HiddenTear and EDA2, make ransomware accessible to attackers that lack the skills or resources to develop their own malware from scratch. And supporting infrastructure, such as exploit kits and spam services, are readily available for rent or purchase by these adversaries."

For cybercriminals, in other words, ransomware business keeps booming.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.