The threat actors behind the latest SamSam ransomware attacks have switched tactics and are now conducting highly targeted, company-wide attacks with the aim of infecting large numbers of devices.
Companies are being researched and companies that are perceived to be most likely to pay the ransom are being attacked. Instead of using spam and phishing emails to gain access to devices, the threat actors are exploiting vulnerabilities to gain access to a network and using brute force attacks taking advantage of weak passwords – especially remote desktop protocol (RDP).
Once access to a network is gained, credentials are stolen and various tools – such as PSEXEC – and batch scripts are used to explore the network and deploy the ransomware payload on selected systems.
The aim of the attackers appears to be to infect as many critical business systems as possible to maximize disruption and the cost of mitigating the attack. The higher the cost of recovery, the more likely it is that the ransom will be paid.
Victims are given two options for paying the ransom – a bulk discount is offered for the keys to decrypt all infected devices, or victims can pay per host and just decrypt files on selected devices and systems.
An analysis of the attack tactics used in the SamSam ransomware campaigns was recently published by Sophos. In a related blog post, Paul Ducklin explained that the typical ransom demand is around $45,000 in Bitcoin, with the ransom adjusted to take the value of the cryptocurrency into account.
It is unclear why that figure has been chosen, although Ducklin suggests that amount is below certain reporting thresholds, or the payment of that amount is unlikely to require board approval. The payment appears to have been set to maximize profits for the attackers, while also being sufficiently low to ensure it is paid. The payment will certainly be considerably lower than the cost of recovery without paying the ransom. The City of Atlanta ransomware attack has cost at least $2.6 million to resolve.
Many victims are choosing to pay the ransom, and in most cases, payment is made to decrypt all devices, although some companies have chosen only decrypt certain hosts.
According to Cisco Talos, one of the Bitcoin wallets associated with SamSam had received 30.4 Bitcoin in January, with a second Bitcoin wallet having received 23 payments. In total the attackers have been paid 68.1 Bitcoin – around $627,500 at the current exchange rate.