Coveware: Ransomware Recovery First Responders

View Original

What Is SamSam Ransomware and How to Recover and Remove It [Guide]

SamSam ransomware is a narrowly distributed type of ransomware. It was first observed in 2016 and has since undergone three upgrades to the current V3 that circulates today. SamSam typically targets larger organizations, aims to cripple a company quickly and force them to pay a relatively large ransom amount.

SamSam gained notoriety through high profile attacks like the 2018 attack on the City of Atlanta, and the corresponding U.S. Department of Justice’s indictment of two Iranian nationals connected with the handling of bitcoin ransomware payments. SamSam ransomware has been carefully tracked by Sophos. Unfortunately, no variant of SamSam is currently decryptable via commercial means or a free public decryptor tool.

What Are the Common Attack Vectors for SamSam Ransomware

Initially, SamSam hackers were using vulnerabilities in JBOSS systems to gain privileges required to plant ransomware into the target company’s network. As their techniques evolved, they have increasingly relied on brute forcing Remote Desktop Protocol ports (RDP).

RDP is commonly used for employees or service providers to access a network remotely. RDP access sidesteps endpoint protection, making lateral proliferation between endpoints, partitioned networks, and backup systems much easier to accomplish.

Once in the network, the hacker then uses other tools (such as mimikatz) to harvest administrative credentials and privileges. These administrative privileges are used to disable anti-virus, overcome two-factor authentication, wipe or encrypt backups, and plant ransomware executables into every pocket of a network.

How Does SamSam Ransomware Encrypt Files

SamSam does not have any viral components that cause it to spread automatically, it is manually controlled by the hackers who detonate it inside targeted company networks. Unlike other types of ransomware that only encrypt database files or a file server drive, SamSam encrypts everything except the bare minimum necessary to boot the underlying machine. Data files are typically encrypted first, followed by applications.

This makes recovery agonizingly slow as a restore via partial backups won’t induce a full recovery. A full disk re-image must first be created in order to bring encrypted applications back, followed by incremental restoration of the encrypted files. SamSam encryption generates a unique AES key and IV for each individual file and application that it encrypts.

Common SamSam File Extensions and the SamSam TOR Site

Recovering from SamSam ransomware by engaging the hackers is a daunting process. Recent SamSam ransomware file extensions include .stubbin .berkshire & .sophos, but SamSam is probably most recognized by its unique ransom note (example below) and TOR site (further below). The terms of paying are somewhat convoluted and the TOR site is minimal in its layout and functionality.

How to Remove and Decrypt SamSam Ransomware

Victims may pay ~0.8 BTC for a single encrypted machine if they would like to decrypt only a small selection of machines. Alternatively, a victim may pay ~6 bitcoins to receive keys to decrypt all encrypted machines.

In our experience, victims often pay for half (3 BTC) of the keys that decrypt a predetermined subset of machines. After successfully decrypting and gaining confidence, the victim then pays for the second half of the keys to decrypt the balance. In any case, a crude chat interface is used to communicate with the hackers via their TOR site:

Regulatory and Compliance Risk of Paying SamSam Ransomware

In November 2018, The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and U.S. Department of Justice indicted two Iran-based individuals, Ali Khorashadizadeh and Mohammad Ghorbaniyan. The indicted were charged with exchanging bitcoin ransom payments derived from Samsam ransomware payments into Iranian rial, and depositing the rial into Iranian banks.

By publishing wallet addresses to the OFAC list, the U.S. Treasury is taking an aggressive stance towards compliance. Companies that engage in transactions with these wallets or future wallets published by OFAC could be subject to secondary sanctions. Victims of SamSam need to ensure that the wallet address they pay is not on the OFAC sanctions list, and may need to monitor the wallet address after they paid to determine if the address becomes linked to an OFAC listed wallet in the future.

How Do I Protect My Business from SamSam Ransomware?

To protect yourself from a SamSam attack, you must ensure that the main attack vectors used by SamSam ransomware are secured.

Two-factor authentication (2FA)

The vast majority of corporate ransomware attacks could be thwarted by enabling two-factor authentication on all administrative access accounts, including remote access points. Given the new availability of free phishing kits that can bypass certain kinds of 2FA it is important to use U2FA keys for mission critical system access.

Lock down RDP

Brute forcing remote desktop services remains the preferred attack vector for SamSam Ransomware, so limiting access and administrative privilege via RDP is important. Consider putting RDP behind a firewall, using a VPN to access it, changing the default port, and allowing access to a select whitelist of IP ranges. Also, consider lockout provisions to cut off brute force attempts. These efforts can mitigate the risk of compromise.

Limit access

Using the ‘principle of least privileges’ means granting users and admins the least amount of access needed for their job. If an employee does not need to install software then they should not have install privileges. Accounts used to manage critical services should not share access to the backup services, control endpoint security systems, or other critical services.

Backups

Besides protecting your business from ransomware attack, it is critical to have adequate onsite and offsite backups and thorough Disaster Recovery (DR) & Incident Response (IR) plans. Backups should be properly partitioned and air-gapped from the primary network so that compromised credentials don’t leave them vulnerable to being wiped or encrypted.

Average SamSam Ransomware Downtime and Cost

On average, data recovery rates for SamSam ransomware are high. Unfortunately, the average ransom costs are also high. The decryption tool provided by the hackers is relatively efficient and recovery times are relatively short compared to other types of ransomware. The TOR site while crude, does aid in communication and logistics. Given the logistics associated with communicating with SamSam hackers via the TOR site, and the breadth of data encrypted by SamSam ransomware, we encourage victims to contact us so that we may assist your ransomware recovery.