OK, I realize that it has been about a week and a half since I last blogged, but there is a reason: I was in the hospital. Just gout out Friday, and finally getting back into the swing of things today. During my hospital stay, I didn’t have my laptop with me or an Internet connection to keep tabs of what is happening in the Cyber security world. So, I am behind, but will get caught up here.
Anyways, as I was scouring the headlines, I came across an interesting article on the SamSam Ransomware. I think I have written about the topic of Ransomware before, but essentially, this is a piece of malware that not only affects the victim’s computer, but literally locks up the screen and all files until a ransom is paid up. This is usually demanded by payment via a virtual currency, such as Bitcoin.
One of the main reasons why the Cyber attacker chooses this medium of payment is so that they cannot be tracked down, which would be the case if traditional currency was used. So, the headline that captivated my attention was that this particular malware has hit a total ransom payment thus far of well over $6 million. WOW. This has made it the most lucrative Ransomware to date.
The SamSam Ransomware is not a new one; it has been around since 2015. But it has captured the headlines not only with its staggering ransom payout, but it has hit some big name targets that include the following:
- The Colorado Department of Transportation;
- Other leading healthcare organizations.
With this portfolio of victims, and at least one new one being added every day, it has now been listed as a Top 10 Malware. Just how exactly did it make the top like this? Well, according to Cyber security researchers at Sophos Labs, the group behind these attacks is very patient in what they do.
Meaning, they take the time needed and more to carefully select their targets, study them, and when they least expect it, then launch the Cyber attack. In a way, this is very similar to Spear Phishing attacks, a topic of which I also have written about before as well.
In fact, the technique that they use even has fancy name to it: It is known as the “Spray and Pray Method”. This techno jargon simply means that Cyber attack group behind this malware is trying to specifically determine a vulnerability in order to gain entry. From there ,they then spend about a day inside the victim’s system to get the ground work set up.
In fact, the SamSam Ransomware has also been dubbed as a “labor intensive” malware, in that the Cyber attackers take their own time to not only “defang” a victim’s network defenses, but also to ensure that the victims cannot use its backups to help with recovery.
The Cyber security researchers at Sophos Labs have also determined that a majority of the victims (74%) reside in the United States, with the remaining victims coming from Canada, the Middle East, and the United Kingdom.
The specific victims have been the government agencies, educational institutions, and healthcare organizations. But only 37% of the victims have actually publicly disclosed that they have been hit by SamSam.
But, you may be wondering at this point, how does the exact attack methodology work? Although one can only hypothesize at this point, here is what the Cyber security researchers do know at this point:
*The Cyber attackers scan the Internet for a victim with specific vulnerabilities or by making use of the Remote Desktop Protocol (RDP) and making use of software like NLBrute to break weak passwords.
*The attacks are timed to take place during non working hours when the victims are not at their computers.
*The Cyber attackers then use a set of specialized tools to gain administrative privileges. From there, the network is then scanned for valuable targets, deploying and executing the malware by making use of tools like PsExec or PaExec.
Other interesting tidbits about the group leading the SamSam Ransomware attack:
* The Cyber attackers only select a few targets; thus they are able to spend a great deal of time to work around any defenses that are in place;
*Since so much of time is spent in launching the attack, the Cyber attackers do not give up until they are paid the ransom;
*The Cyber attackers then wait to be contacted by the victim via email in order to set up payment details of the ransom.
My thoughts? It is interesting to note that the group behind the SamSam Ransomware is actually an honest group of infiltrators; meaning once the money is paid up, they actually do send to the victim the decryption keys in order to unlock their computers and associated files.
This is a far cry from other types of Ransomware attacks, in which the Cyber attacker simply vanishes after being pad up.
But take note here: This does not mean that you should ever pay a Cyber attacker if you have become a victim of Ransomware. My mantra is to never pay up, as tempting as it might be.
You can always restore back to normal operations provided that you do have backups in place at a safe, secure, and undisclosed location. By paying a Cyber attacker, you are only feeding more into their ego of launching more attacks.
It has also been concluded that the group behind the SamSam Ransomware attacks have very sophisticated skills – like that of an advanced Penetration Tester. We are not talking about “nation state threat actors here”. These guys have the tools and the knowledge to do what they do very covertly.
Finally, this only proves that the day of just mass, general like Cyber attacks are coming to an end. Meaning, the new trend now for the Cyber attacker is to carefully select and handpick their targets, and study them at great lengths in order to find their weakest points and vulnerabilities.
Then once all is ready, the Cyber attacker will then ensnare their victims, in a manner much like how King Cobra goes after its prey in the jungle.