SamSam Ransomware Continues to Victimize Large Cities

Samsam ransomware has made a name for itself. It is now considered as a spiritual successor of the nasty WannaCry ransomware of 2017. It is very effective in forcing the victims to just pay the ransom, as the encryption used by the malware is very strong, locking-out the users from the files they themselves created. Samsam has enabled its authors to earn as much as $300,000/month.

The latest big victim is the city of Atlanta, with 90% of Department of Public Works’ PCs were rendered useless while dashcam video files were also encrypted by Samsam. Lance Bottoms, the mayor of the city has mentioned that he considered this as a hostage-taking event: “We are dealing with a hostage situation.” Samsam ransomware encrypts the files with a demand of $50,000 worth of Bitcoins to decrypt. Atlanta City has decided not to pay the ransom, but such is not a big loss for the developers of SamSam, as they already earned an estimated $6 million since the first version in 2015.

Another big city victimized by SamSam is the Department of Transportation of Colorado, with 2000+ PC infection incidents. Peter Mckenzie, the Global Malware Escalation Manager at Sophos expressed his concern about SamSam’s capability of infecting one major target per day. “This is controlled via a small group of people, it’s manually deployed on a victim’s network after they’ve hacked their way in, which is quite different to the majority of ransomware. They’re generally going for low hanging fruit, ” explained Mckenzie.

The founder of Rendition Infosec, a cybersecurity firm, Jake Williams explained that SamSam rides on phishing emails and another social engineering. It does not include a code that infects computers automatically, it needs users to run it first. “There’s no automation involved in it but what they do is old-school hacking. The ransomware itself isn’t very sophisticated but the technique they use to achieve maximum damage mimics what we see with some of our advanced threat adversaries.”

Mckenzie concluded: “Unlike some threat actors out there who talk about their exploits on dark web forums or even on Twitter, these people don’t do that. They don’t brag. They don’t post anything. They don’t seem to communicate with any other groups that we’ve been able to identify. They also don’t seem to do anything else, it seems SamSam is the full-time job for them. The skills have definitely improved. How they hide who they are, how they hide what their code is doing, making it harder to get hold of sample files is stuff they’ve been improving constantly. We can only assume the way they’re deploying the ransomware is going to become more efficient and more hidden.”

Sophos has studied the behavior of SamSam since early 2016, and its behavior is changing to maximize the number of major infection incidents. “SamSam is not new. It first appearing in early 2016, but frequently draws the security community’s attention. Its developers make great efforts to cover their tracks. In many cases, the initial infection vector of the attacks isn’t clear or some steps of the attack chain are missing. The attackers try to make analysis harder by deleting files involved in an attack, including the payload itself, and by changing the deployment methodology,” explained the Sophos report.