In conjunction with the Cyber Threat Alliance, Sophos today released a detailed analysis of a highly sophisticated ransomware threat group that has been dubbed “SamSam.” As part of Fortinet’s membership with the Cyber Threat Alliance (CTA), FortiGuard Labs received all related indicators of compromise (IoCs) ahead of publication to ensure that FortiGuard customers are protected from this latest disclosure. The SamSam ransomware first appeared in late 2015 as a reasonably low-profile risk. Since then, however, it has aggressively expanded, targeting a wide range of organizations, from healthcare and educational institutions to local governments. Sophos has estimated that, to date, the group responsible for SamSam has extorted nearly six million dollars from its victims.
The SamSam targeted campaigns locked machines using a focused strategy of exploiting vulnerabilities and then methodically engaging in lateral movement across the network to identify targets. To evade detection, these attacks usually took place at a calculated time, often after business hours. The attackers would then conduct reconnaissance, infiltrate targeted devices, and lie dormant until they deemed environmental variables to be ideal for an attack. At that point, SamSam would attack all identified systems at once, making it more challenging to isolate compromised devices.
The SamSam attackers use a combination of known tools, such as the pen testing and post-exploitation tool Mimikatz to harvest credentials, and PSexec to move laterally across the organization where the SamSam malware is then manually installed. This technique is especially effective since it does not usually trigger any alarms since security devices generally recognize such traffic as being legitimate commands coming from someone within the organization. And since the attackers install the SamSam ransomware manually, that process also doesn’t usually trigger any unwanted attention by system or network administrators, or many AV and IPS defenses. Most concerning is that not only are valuable files targeted (documents, data, etc.) but configuration files like those in Microsoft Office were also attacked to create total disruption.
Defending Your Organization from SamSam and other Ransomware
Ransomware is notoriously effective at disrupting an organization, often forcing fully digital businesses, including financial institutions and healthcare facilities, to resort to managing complex transactions using pencil and paper. Since many organizations measure downtime in the tens or hundreds of thousands of dollars, the need to restore operations often leads an organization to pay exorbitant ransoms to unlock devices and networks. However, there is never any guarantee that paying a ransom will provide the keys necessary to unlock systems, nor that compromised systems don't remain compromised so that the criminals can repeat such an attack.
The best response to ransomware such as SamSam is to prepare.
Aggressively Patch and Update Devices, Software, and Applications
Most ransomware breaches begin by exploiting unpatched vulnerabilities. And far too often, these are often vulnerabilities for which a patch has been available for weeks, months, or even years. Organizations need to inventory their existing hardware, software, and applications, prioritize their vulnerabilities and risks, and then implement a regular process to administer all necessary patches and updates. Ignoring this security best practice leaves organizations susceptible to attacks such as SamSam even when they use unsophisticated and basic cyberattacks to initiate a network breach.
Deploy Access Management and Internal Segmentation Solutions
To limit compromise as well as the spread of threats, organizations need to employ strong access management combined with secure network segmentation to isolate devices and data to ensure that even those who have privileged access to the broader network cannot see and compromise devices. Access management needs to specifically authenticate those users and applications seeking to access sensitive information or update software using such things as two-factor identification and token management, single sign-on, and even biometrics. Network segmentation can also provide separate, secured access channels for things like device and system administration.
Baseline Management Traffic
Because of the growing trend of malware to use common pen testing and administration tools to load malware and compromise devices, it is critical that you baseline all of your administrative traffic and activities. This allows your behavioral analytics system to quickly identify and alert on unexpected or unusual administrative events such as device configuration.
Backup Your Data
Rather than paying a ransom, one effective response is to replace compromised operating systems, software, and applications with clean backed-up versions. This solution requires several steps. First, backups need to happen regularly to close the gap between the time a compromise is detected and the last clean backup. Backups need to be scanned looking for malware and other anomalies. You don’t want to restore a compromised device using a backup that includes that same infection. Finally, administrators need to store these backups off-network, so they don't become corrupted or unavailable during or after an attack.
Solutions and Protections
FortiGuard Labs has analyzed all of the IoCs for SamSam outlined in the Sophos blog, and is pleased to report that AV protections are in place for all known samples:
Also, all associated URI’s related to this attack have been blacklisted by FortiGuard Labs Webfiltering.