ry on Safe Harbor Commentary on SamSam Ransomware Attack
Unlike other Ransomware, SamSam attempts to exploit key vulnerabilities in the targeted organization’s network instead of using widely disseminated spam methods to compromise the goals of other ransomware families.
Cybercriminals distribute thousands of highly ambiguous new copies to specific organizations.
Before Cisco Talos analysts noticed in January, Attackers used the new SamSam Ransomware Campaign to earn more than $300,000.
The attacker uses various vulnerabilities for specific organizations instead of using spam activities to access the victim’s network, and also uses brute force attacks to exploit weak passwords of the RDP protocol.
Once the attacker successfully obtains the target network, it uses the stolen credentials to find additional network access and manually deploys SamSam ransomware using specific tools such as PSEXEC and batch scripts.
SamSam Ransomware infection process points: SOPHOS
How SamSam Ransomware Works in a Damaged Network
Initially, it used a patch file that was responsible for executing malware and removing certain components to perform certain operations during the execution of SamSam ransomware.
Later it will execute a parameter to help decrypt the specific actual payload and execute it on the infected victim’s host.
According to Sophos analysts, a component called runner is responsible for decrypting and executing payloads. It is executed by a batch file with four parameters. The first is the decryption password, followed by a string that is part of the .onion site address. The runner is then provided with the total ransom amount and the price per moderator. It looks for a file with a .stubbin extension. If found, the runner reads the contents of the file and then deletes it. The data read will be decrypted in memory.
SamSam Ransomware Notes Points: SOPHOS
In addition, it uses two different components to increase the attack success rate. If the first attack is unsuccessful, the attacker initiates a new attack by modifying the version of the .exe file.
After the organizations successfully launched the attack, the address of the Bitcoin provided by the attacker received 30.4 BTC before January, and then entered another account. It received approximately 23 payments and the total revenue was 68.1 BTC.
The full amount of the full amount paid by most victims from the ransom amount will provide access to the entire infected host in the network. Some victims pay according to the moderator.
SamSam Ransomware newly evolved with improved sophisticated capabilities and carefully selected the specific organizations such as hospitals, schools, and government sectors those who most likely to pay the ransom amount to get their data back. Unlike other Ransomware, SamSam trying to exploiting the critical vulnerabilities in target organization network instead of using wide spreading Spam… Engaging post, Read More…
thumbnail courtesy of gbhackers.com
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »