The Anatomy of a Successful Bitcoin Ransomware Attack and How to Prevent Becoming a Victim

In early 2016, reports of a particularly crippling ransomware attack began to surface. While many of the victims were based in the U.S., the attacks were also witnessed in other parts of the world. The ransomware has proceeded to be active since then and continues to update and better itself with each version released.

What Is SamSam?

Leading security outfit Sophos has released a paper detailing the specifics of the ransomware. Using its in-depth knowledge as well as its sophisticated research tools, the English firm has been able to uncover essential details regarding the attack. These include the scope of the attack, certain inferences about the creator of the ransomware, and the IOC (Indicators of Compromise), amongst others.

The paper is called “SamSam: The (Almost) Six Million Dollar Ransomware” and was created in conjunction with blockchain analysis firm Neutrino.

Ransomware refers to a type of malicious software. Once the software can gain access to a computer or network of computers, it launches and encrypts the files. The attackers then demand a ransom from the victims in order to decrypt the data and restore functionality to the network. Today, the ransom is often paid in cryptocurrencies such as bitcoin.

Ransomware attacks have been increasing in quantity and severity in the past years. For instance, the WannaCry ransomware, which gained infamy last year, is still infecting new victims with the latest casualty being the aviation giant Boeing.

In this year alone, SamSam has reportedly affected a number of organizations. The malware has been blamed for deleting the dashcam footage for the city of Atlanta, potentially affecting a large number of cases. Additionally, a SamSam infection resulted in the network of the Colorado Department of Transportation being offline for many days. The malware also affected healthcare providers as well as universities.

How it Works

While ransomware attacks are usually crippling, SamSam continues to set itself apart from its counterparts due to a combination of factors. One of the most important distinctions is the infection vector. The researchers at Sophos believe the method used by the perpetrators is part of the reason why the attack has been so successful.

SamSam is not designed to spread through an email with the malicious code attached to it, as is the case with most ransomware currently. Instead, the creator of the malware targets explicitly their victims. They attempt to gain access to a computer within the target’s network remotely. Once the attackers have access to one machine, they target the rest of the computers on the network. The entire attack process happens in six steps.

The first step involves identifying the victim; while it is unknown how the perpetrators eventually decide on their victim, the attacker will specifically target an organization and is not a random infection. Sophos postulates that the attackers may be acquiring lists of poorly protected systems through the dark web and that this information may inform their decision on who they attack. The security firm reported:

“They could be purchasing lists of vulnerable servers from other hackers on the dark web, or simply using publicly available search engines such as Shodan or Censys. What is clear is that they tend to target medium to large organizations, predominantly based in the United States.”

Once a target is acquired, the attacker will attempt to infiltrate the network. They use a handful of tools to achieve this. In the initial versions of the SamSam malware, the creator exploited JBOSS vulnerabilities in a network in order to extract the permissions that allowed them to launch the malware on the system. JBOSS is a Java application server.

However, as the ransomware increased in sophistication, the attack began to use the Remote Desk Protocol (RDP) to its advantage. RDP is a communication system designed to allow administrators to gain remote access to a network to keep it in proper functioning order. However, the attacker uses this vector to gain access to a network. Using the tool NLBrute, the attacker brute forces the password to the network. This is the malware’s preferred point of entry currently and represents the second phase.

Once the attacker has access to the system after brute forcing the password, they continue to attempt to elevate their permissions to the level of an admin account which would allow them to launch SamSam. This process usually takes a while and can continue for days. Additionally, the perpetrator will steal the login credentials of a genuine administrator account using a tool known as Mimikatz. This is the third stage of the attack.

The fourth step is identifying the vulnerable computers in the network. SamSam is spread by its creators manually, and the hackers aim to deploy the malware while masquerading as genuine administrators. Sophos believes this vector is taken because it affords certain advantages to the attack:

“As a manual attack, it poses no risk of spreading out of control, attracting unwanted attention. It also allows the attacker to cherry pick targets, and to know which computers have been encrypted. But first, it has to choose the targets.“

Using the credentials they have stolen or otherwise acquired, the hackers take control of a server on the network. This compromised server then becomes the operational command center of the attack. The hacker deploys network scanning tools from the server to identify the computers they will infect.

“When the scanning tool is able to access a potential victim’s filesystem, it writes a plain text file named test.txt (which contains only the characters ‘ok’) to the C:\Windows\ System32 folder of any machine it is able to access. Simultaneously, the tool creates a list of operational, potential-victim computers in a file named alive.txt on the compromised server. The attacker later uses this .txt file as a target list.”

The fifth step is the actual launch of the malicious code. The hackers manually launch SamSam using system application tools. Once the malware has infected the target computers, the last step for the attackers is merely to wait for communication, as well as the ransom, from the victims.

An important point to note is that SamSam encrypts all files on its target. “SamSam encrypts not only document files, images, and other personal or work data, but also configuration and data files required to run applications (e.g., Microsoft Office). Victims whose backup strategy only protects the user’s documents and files won’t be able to recover a machine without reimaging it, first.”

his is part of what makes this malware so insidious and why the attacker has been able to make off with almost $6 million in profit over the last two and a half years.

SamSam Ransomware Crew Made Nearly $6 Million From Ransom Payments – by @campuscodihttps://t.co/5zxC59hGoW

— BleepingComputer (@BleepinComputer) July 31, 2018

Inside the Mind Of SamSam’s Creator

Security experts believe that SamSam is unique because of its creator(s). The hackers display a significant amount of attention to detail. They use tools that are designed to make both detection and tracking difficult if not impossible. For instance, if for whatever reason an attack fails, the attackers include a file that deletes all the oast actions of the code. This tool then self-destructs, removing all traces of the attempted attack. This makes it very difficult for network administrators to detect the attack.

Additionally, since SamSam is not designed to be a worm but is spread manually by the attacker, it is difficult to stop the attack once it has started. This is because the attacker is able to counter the response of the network, in case the system has security features that detect suspicious activity and attempt to stop the attack.

The hacker changes tactics to circumnavigate the security feature and is, more often than not, capable to successfully launch the malware.

Moreover, the attacker has been known to launch the attack at times when they see the target is not using the network. This is in an attempt to avoid detection and subsequent cessation of the effort. The attacker made sure to start encrypting the files either very late at night or early in the morning. This is true of victims across the world, indicating the hacker meticulously plans every stage of the attack. The hacker will typically keep up the offense for 16 hours, stopping to rest for eight.

The creator of SamSam continues to create new versions of the malware with the active version being the third iteration of the software. The perpetrators showcase growth with every release, making it increasingly harder to detect the attack.

“What is clear is that they have remained anonymous for over two and a half years and continue to show signs of their attacks becoming more sophisticated,” Sophos stated in its report. The firm further believes the constant growth and anonymity points to the attacker being one person. Also, they think the attacker is not a native English speaker.

While many of the reported cases of SamSam have come from government organizations, Sophos found that the private sector constituted about half of the target scope for the perpetrator. Public sector organizations were more likely to report the attack while private sector victims did not report the attacks. The victims were mostly from the U.S.; however, Canada, UK, UAE, and Australia, amongst others were affected.

The Crypto Connection

SamSam demands the ransom in bitcoin. Once the network is compromised and files encrypted, the victim can view a ransom note which includes the address to a webpage hosted on the dark web (payment website), the attacker’s Bitcoin (BTC) address, and the ransom amount. The ransom currently stands at 0.8 BTC per infected computer and seven BTC for complete decryption.

The attacker has consistently been increasing the amount demanded in his ransoms. The money is to be paid in seven days at which point the hacker demands an additional 0.5 BTC. The hacker creates a unique payment site for each victim and communicates with their victims directly to smooth out the decryption process once the ransom is paid. Curiously, the attacker will sometimes include apologies in the ransom notes.

Working with Neutrino, Sophos was able to identify 157 addresses that have received SamSam ransoms. There were also 89 addresses connected to the attack that did not receive any payments. The researchers also found that the addresses all originated from three different wallets. While prior estimates postulated that SamSam had netted $850,000 for its creators, Sophos and Neutrino have ascertained the actual number to be $5.9 million. They also state that the attacker makes about $300,000 a month from victims.

As of July 19, 2018, 233 victims have paid all or part of their ransoms. The most considerable amount paid by one victim stands at $64,000.

The researchers also found that the hackers use a number of methods to launder their profit. These include changing the bitcoin to privacy-centric altcoin Monero and the use of bitcoin tumbling and mixing services such as Helix and Bitmixer.

How Can You Prevent Yourself From Becoming a Victim?

While SamSam is debilitating once launched, it is surprisingly easy to prevent such a scenario. Taking simple security measures seriously goes a long way. Firstly, choosing a password that is not easy or simple provides immense protection at the point of entry. Brute forcing does not work if passwords are well constructed and difficult.

Secondly, Sophos recommends that organizations employ the Principle of Least Privilege (POLP). This protocol means giving users of a system the least amount of access they need to effectively perform their job. This reduces the chances that attackers are able to gain access from compromised admin accounts.

Third, it is vital for organizations to devote time and resources to monitor their networks in real-time with the aim of identifying and, if necessary, locking down unusual account activity quickly. To stay ready for such a scenario, organizations should also perform drills periodically.

Lastly, the security firm recommends a complete backup of the entire system to be stored offline and offsite as this is the best way to ensure an adequate restoration system.