Middle East region targeted in Samsam ransomware attack
Ransomware is universal and one of the greatest threats in cybersecurity currently. Extensive research by Sophos has uncovered a trove of new information on the notorious Samsam ransomware that has affected far more victims than previously thought, and raised vastly more in ransom demands — almost $6 million.
Most ransomware is spread in large, noisy and untargeted spam campaigns sent to thousands, or even hundreds of thousands, of people. They use simple techniques to infect victims and aim to raise money through large numbers of relatively small ransoms of perhaps a few hundred dollars each.
What sets Samsam apart from most other ransomware is that its use in targeted attacks by a skilled team or individual, who breaks into a victim’s network, surveils it and then runs the malware manually.
The attacks are tailored to cause maximum damage and ransom demands are measured in the tens of thousands of dollars. The attack method is surprisingly manual, and more cat burglar than smash-andgrab.
As a result, the attacker can employ countermeasures (if needed), and is surprisingly adept at evading many security tools. If the process of encrypting data is interrupted, then the malware comprehensively deletes all trace of itself immediately, to hinder investigation.
Samsam is a particularly thorough encryption tool, rendering not only work data files unusable but any program that isn’t essential to the operation of a Windows computer, most of which are not routinely backed up. Recovery may require reimaging and/or reinstalling software as well as restoring backups. The attacker is very good at covering their tracks and appears to be growing increasingly paranoid (or experienced) as time passes, gradually adding more security features into his tools and websites.
KEY FINDINGS The basics
The Samsam ransomware first appeared in the wild in December 2015
Some victims reported a widespread ransomware event that significantly impacted operations of some large organisations, including hospitals, schools and cities
The attack details took some time to obtain because the attacker(s) responsible took great care to obfuscate their methods and delete any evidence that could be revealing
Many victims found that they could not recover sufficiently or quickly enough to ensure business continuity on their own, and reluctantly paid the ransom The statistics
By tracking Bitcoin addresses supplied on ransom notes and sample files and by working with the firm Neutrino, Sophos has calculated that Samsam has earned its creator(s) more than $5.9 million since late, 2015
Sophos has determined that 74 per cent of the known victims are based in the United States. Other regions known to have suffered attacks include Canada, the UK, and the Middle East
The Samsam attacker has received ransom payments as high as $64,000, based on analysis of ransom payments to the Bitcoin wallets tracked
Unlike most other ransomware, Samsam encrypts not only document files, images, and other personal or work data, but also configuration and data files required to run applications (e.g., Microsoft Office). Victims whose backup strategy only protects the user’s documents and files won’t be able to recover a machine without reimaging it, first
Every subsequent attack shows a progression in sophistication and an increasing awareness of how to evade operational security