SamSam – the ransomware that attacks while you sleep

  • admin
  • Sep 24, 2018

Ahead of our cybersecurity events in November this year, we wanted to share some information about a rise in specific ransomware and how you can protect yourself.

Ransomware and other malicious attacks continue to have a significant impact on organisations and individuals, and it is not limited to a particular area or industry.

According to CERT NZ, New Zealand-based organisations and individuals have suffered financial losses of around NZ$5.1 million so far in 2018. 

This is based on 736 incidents reported directly to CERT NZ as well as a number of other agencies.  

We’d like to highlight a particular risk, named SamSam.

SamSam is a ransomware that is not quite as common as some of the other malicious attacks that have made the news in more recent times, but it has been around for a few years, and to date has had a significant financial impact on the organisations it targeted.  

Sophos, one of our partners who provides a range of security solutions that include firewall and endpoint security,  conducted research about this ransomware and released their updated report highlighting the way it operates and how you can stay protected. The report covers the anatomy of a SamSam attack and why it isn’t necessarily hard to defend against. 

It highlights that SamSam attacks are relatively rare and they are not as well-known as some of the other ransomware attacks that have made the news the last few years. Unlike other random, badly worded spam email with an attachment, SamSam targets specific organisations and then uses a manual approach to target and compromise victims – often through a weak, easily guessed password.  So far SamSam is on its third major revision.

In November, Sean Richmond, Senior Technology Consultant at Sophos will be at our Cyber Security events where he will share how NOT to be a cyber crime statistic.  He will be exploring the security situation that many organisations globally are challenged by on a daily basis and help you understand how threats are propagating and their impact.

Key findings in the Sophos report

  • SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
  • The attacker uses care in target selection and attack preparation is meticulous.  SamSam waits for a time when most users and admins of the targeted organisation would be asleep before launching the encryption commands.
  • SamSam not only encrypts document files, images and other personal or work data, but it also configures the data files required to run applications like Microsoft Office.
  • Every subsequent attack shows progression in sophistication.
  • The tempo of attacks are showing no slowdown and the cost victims are charged in ransom has increased dramatically.

Sophos (and organisations like CERT NZ) strongly recommend that you do not pay the attacker as it does not offer any guarantees and it may encourage further attacks.  It is important that you ensure that your security is up to date.

Recommendations from the Sophos report

  • Follow a layered approach to security.
  • Follow best practice approaches to patching systems and network management.
  • Restrict administrative privileges of critical systems to as small a number of accounts as possible.
  • Close possible loopholes, like RDP ports open to the outside world.
  • Complete regular vulnerability scans and penetration tests across the network.
  • Endpoint protection, while crucial, shouldn’t be the first line of defense.
  • Improve your password policies.  Encourage employees to use secure password managers, longer passphrases and the non-reuse of passwords for multiple accounts.
  • Improve account access controls.
  • Educate staff about security risks by running regular phishing tests.

You can download the Sophos report SamSam The Almost Six Million Dollar Ransomware here.  (Credit: Sophos).

And if you have been affected by ransomware?

CERT NZ share some important steps on what you can do if you have been affected. Click here to read more.

You can also report an issue here.