SamSam Ransomware

A recent report by cyber security company Sophos has shed further light on SamSam – its evolution, the revenue it has generated and details of the attacker(s), who is yet to be identified. Key findings from Sophos include:

  • SamSam has earned more than $5.9m (£4.5m) from ransom payments since late 2015. The attacker’s revenue now averages around $300,000 (£250,000) per month.
  • Most of the known victims are based in the United States (74%), but other regions are known to have suffered attacks, including the UK (8%).
  • Medium to large public sector organisations in healthcare, education, and government account for about 50% of the total number of known victims, with the rest in unidentified parts of the private sector.
  • The ransom demands have increased considerably, and the tempo of attacks shows no sign of abating.
  • The attacker is thorough and consistent in covering their tracks and making analysis difficult.

Files

Bat:
6b21aec23a844e6a5af1879c41b9632a0e705bb7
713973f14ae8ff88a63a1491e82e48f362e3aed7
Runner:
3cbddf5f027b19e55366ecc0fd287f31379175a0 – z2.exe
Contains garbage code. Calls the decryption function from sdgasfse.dll.
a1ab74d2f06a542e77ea2c6d641aae4ed163a2da – mswinupdate.exe
Contains no garbage. Calls the decryption function from ClassLibrary1.dll
Dll:
138c3aae51e67db0c4134affae428fe91c0d1686 – sdgasfse.dll
4d7a60bd1fb3677a553f26d95430c107c8485129- ClassLibrary1.dll
Extension:
.weapologize
TOR site:
hxxp://jcmi5n4c3mvgtyt5[.]onion
BTC Wallet:
1HbJu2kL4xDNK1L9YUDkJnqh3yiC119YM2

The SamSam campaign operates differently from most ransomware threats. Most malicious actors perform mass distribution schemes to spread ransomware through email spamming or malware-infected adverts. In the case of SamSam, the attacker is patient, persistent and selective, targeting one victim at a time.

The best way for organisations to protect themselves against SamSam, and many other attacks, is to reduce their threat profile and not be an easy target in the first place.

Further details :

https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx



Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: