Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
Ajit Sancheti
Ajit Sancheti
Connect Directly
E-Mail vvv

Inside a SamSam Ransomware Attack

Here's how hackers use network tools and stolen identities to turn a device-level compromise into an enterprise-level takedown.

Hospitals, municipal governments, and schools are bracing themselves, anxiously aware that they could be the next target of SamSam ransomware's ongoing campaign of destruction and extortion.

According to an updated warning issued by the US Department of Health and Human Services, a new variant of SamSam (also referred to as SamSa and Samas) has been deployed in more than eight unique cyberattacks in the United States so far in 2018. These include an industrial controls system (ICS), two hospitals, the City of Atlanta, and the Colorado Department of Transportation. Colorado DOT was attacked twice; it took six weeks, millions of dollars, and hundreds of cybersecurity specialists, including the FBI, to get the department (2,000 computers) back to 80% functionality. What would happen to organizations with fewer resources in the aftermath of a SamSam hit?

In the latest reported attack, an Indiana healthcare provider network discovered it had been compromised on May 17 and is now working with the FBI; it did not disclose whether it paid the ransom. Indeed, many public-sector victims decide it is better to concede to hacker demands immediately than to risk extended recovery time (not to mention complications). As dependency on real-time data and networked systems becomes the norm, recovery speed is critical. Ransomware exploits this vulnerability for straightforward financial gain.

SamSam and its variants, active since 2016, have evident commonalities; as more attacks are investigated, we have gained insight into their tactics. SamSam campaigns do not target the most lucrative enterprises. Instead, they extort organizations that have a near-zero tolerance for downtime: public-facing civil sector and healthcare organizations. The pressure is on when lives, physical health, critical infrastructure, and public safety are at risk. The longer it takes, the higher the stakes.

Assume Breach
While regular patching, security updates, and consistent monitoring can be effective defenses, let's assume the obvious: The perimeter will eventually be breached. SamSam attackers specialize in scanning for exploits and known vulnerabilities — public network protocols, in particular — when targeting a victim. An analysis of SamSam incidents suggests that the ransomware is "typically deployed after the threat actors have exploited known vulnerabilities on perimeter systems to gain access to a victim's network."

The hackers behind SamSam are sophisticated and appear to be learning more tricks as they go along. Their latest scheme is to spread thousands of copies of malware on a single network all at once and then demand "per computer" or "volume discount" ransom amounts to fix what they've broken.

Let's take a closer look at how ransomware attackers use network tools and stolen identities once they are inside the network to turn a device-level compromise into an enterprise-level takedown. According to the Verizon 2018 Data Breach Investigations Report, the use of stolen credentials is the No. 1 most common action attackers take during a successful breach. Privilege misuse is fourth on the list.

SamSam follows this playbook. It uses tools such as Mimikatz to steal valid user credentials and common IT management tools to move malware to new hosts. Attackers and their malware are increasingly reliant on Mimikatz and other common tools, such as PsExec — associated with everything from PoS malware to webshells — to spread through a network and do damage. Once hackers have compromised a set of privileged credentials, they use the stolen identity to access additional assets in the network. Next, attackers use legitimate administrator tools, such as PsExec or WMIexec, to remotely run code on additional machines.

Hacker Innovation
When it comes to stringing together vulnerabilities to avoid detection, prolong dwell time, and infect larger numbers of machines, hackers are innovative. For example, Remote Desktop Protocol (RDP), a standard Microsoft component, has been identified as a weak point that hackers seek because it provides an easy channel of attack. All they have to do is crack the password, and they are free to move laterally, execute malware, and encrypt data.

Likewise, hackers leverage vulnerabilities in Microsoft's credential protocol (CredSSP), along with RDP and distributed computing environment/remote procedure call (DCE/RPC) application services, in much the same way. RDP is so handy that hackers have created databases containing the location and attributes of systems running RDP and sell the records to other bad actors.

These tools are hard to blacklist, let alone control. For example, Mimikatz relies on Windows NT LAN Manager (NTLM) for techniques such as pass-the-hash. The challenge for IT teams is that, by design, virtually any Windows protocol can be downgraded to NTLM. Tools like PsExec use a remote procedure call (RPC), which is also historically difficult to control inside most enterprises.

The good news is that innovations now make it possible for organizations to directly analyze these protocols, see abnormalities, and challenge them in real time. For example, suspicious internal traffic could trigger a multifactor authentication challenge the user has to pass before access is granted. By controlling these protocols, admins can disable the skeleton key tools that attackers use to steal identity and spread to new machines. It may not be possible to prevent every infection, but it's always better to catch them early and box them in. There's no reason to make it easy for the bad guys to take down the entire organization.

SamSam relies on known vulnerabilities. To defend your organization, don't forget security basics. Make sure patching and configuration is up to date. Keep passwords strong and change them often. Limit privileged accounts and use vulnerable protocols only when necessary. Segment networks to contain damage and ease recovery.

Most importantly, focus on what's happening inside your network in real time. Monitor and control access to legitimate credentials and network tools by detecting anomalous patterns and challenging abnormal use. That will make SamSam and its variants ineffective or, at a minimum, keep them from spreading like slime mold through your network.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Ajit Sancheti is CEO and co-founder of Preēmpt. He has over 20 years in IT security and executive leadership. Previously, he co-founded Mu Dynamics (acquired by Spirent Communications) and held various management roles. Before Mu Dynamics, Ajit was part of the corporate ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
6/23/2018 | 6:38:20 PM
@REISEN: Indeed, you raise an important point. Sometimes, security fails, and attacks transcend into BC/DR issues. Whether natural disasters or manmade, these are things you have to plan and account for. Consequently, it's not just a security-team failure; it's an IT-administration failure.
User Rank: Ninja
6/20/2018 | 3:58:51 PM
How many of us remember those three hallowed words from 25 years ago???   And yet nobody seems to do it right.  Atlanta lost ALL DASHCAM VIDEOS, ALL OF THEM.  So ANY failure would have killed the lot, not just a ransomware attack.  Server failure, hard drive failure???    DOES anybody have an updated, TESTED, restoration plan in place???  i think not.  IT departments hate to test these as it is hard work and tough on schedules.  BFD.  It has to be tested and for the simple reason that when it is NEEDED AT 2AM ..... well, the mind does not think straight at that hour, does it???    But still crashes don't happen, rigjht???    And ransomware won't get into OUR SYSTEM right????  
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.