The US Department of Homeland Security (DHS) and the FBI published a joint alert on the activity associated with the infamous SamSam ransomware.
In March 2018, computer systems in the City of Atlanta were infected by ransomware, the cyber attack was confirmed by the City officials.
The ransomware infection has caused the interruption of several city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.
One of the latest attacks hit the port of San Diego in September, the incident impacted the processing park permits and record requests, along with other operations.
In February, SamSam ransomware infected over 2,000 computers at the Colorado Department of Transportation (DOT), the DOT has shut down the infected workstations.
In August, Sophos security firm published a report the SamSam ransomware, its experts tracked Bitcoin addresses managed by the crime gang and discovered that crooks had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.
“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.
“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”
Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.
A few days ago, the U.S. DoJ charged two Iranian men, Faramarz Shahi Savandi (34) and Mohammad Mehdi Shah Mansouri (27), over their alleged role in creating and spreading the infamous SamSam ransomware.
According to the joint report, most of the victims were located in the United States.
“The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally.” reads the alert.
“Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.”
SamSam actors leverage vulnerabilities in Windows servers to gain persistent access to the target network and make lateral movements to infect other hosts on the network.
According to the report, attackers used the JexBoss Exploit Kit to compromise JBoss applications. Threat actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks, they use brute force attacks and stolen login credentials.
After obtaining access to the victim’s network, attackers escalate privileges then they drop and execute the malware.
“After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.” continues the alert.
According to the experts, attackers used stolen RDP credentials that were bought from darknet marketplaces. and used in attacks within hours of purchasing the credentials.
The alert also technical details and the following recommendations to mitigate the threat: