{"id":12173,"date":"2018-05-01T09:10:04","date_gmt":"2018-05-01T17:10:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/05\/01\/news-5942\/"},"modified":"2018-05-01T09:10:04","modified_gmt":"2018-05-01T17:10:04","slug":"news-5942","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/05\/01\/news-5942\/","title":{"rendered":"SamSam ransomware: what you need to know"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Tue, 01 May 2018 15:54:54 +0000<\/strong><\/p>\n

SamSam ransomware is a custom infection used in targeted attacks, often deployed using a wide range of exploits or brute-force tactics.\u00a0Based on our own run-ins with the infection, we’ve observed that attacks were made on targets via vulnerable JBoss host servers<\/a>\u00a0during a previous wave of SamSam attacks in 2016 and 2017.<\/p>\n

In 2018, SamSam uses either vulnerabilities in remote desktop protocols (RDP), Java-based web servers, or file transfer protocol (FTP) servers to gain access to the victims\u2019 network or brute force against weak passwords to obtain an initial foothold. From there, the ransomware “fun and games” begin for the authors. For everyone else, it’s chaos.<\/p>\n

The ties that bind<\/h3>\n

A common thread tying all of these attacks together is the use of the word “sorry” in ransom notes, URLs, and even infected files. It’s made hundreds of thousands of dollars so far, and it’s caused no end of trouble in the US for cities like Atlanta<\/a>.<\/p>\n

Here’s what a typical ransom splash screen looks like:<\/p>\n

\"samsam<\/a><\/p>\n

The ransom note is quite interesting, giving the option of randomly-selected file encryption (if you don’t pay the full amount). They’ll also unlock one file for free as a token of trust that they will give your files back after payment. It reads as follows:<\/p>\n

\n

What happened to your files?
<\/strong><\/em>
All your files encrypted with RSA-2048 encryption, for more information search in Google “RSA encryption”<\/em><\/p>\n

How to recover files?<\/strong><\/em><\/p>\n

RSA is a asymmetric cryptographic algorithm, you need one key for encryption and one key for decryption so you need private key to recover your files. It’s not possible to recover your files without private key.<\/em><\/p>\n

How to get private key?<\/strong><\/em><\/p>\n

You can get your private key in 3 easy steps:<\/em>
1)<\/strong> You must send us 0.8 Bitcoin for each affected PC or 4.5 Bitcoins to receive all private keys for all affected PCs.<\/em>
2)<\/strong> After you send us 0.8 Bitcoin, leave a comment on our site with this detail: just write your host name in your comment<\/em>
3)<\/strong> We will reply to your comment with a decryption software, you should run it on your affected PC and all encrypted files will be recovered<\/em><\/p>\n

With buying the first key you will find that we are honest<\/em><\/p>\n<\/blockquote>\n

Ransomware authors rely on the victim viewing their odd code of “honesty” as important, or else nobody would dare to pay up.<\/p>\n

I should also mention, before we go any further, that we do protect against this specific threat, which we detect as Ransom.Samas<\/a>:<\/p>\n

\"SamSam<\/a><\/p>\n

The SamSam group have been making waves since late 2015,\u00a0causing trouble in 2016<\/a>, and starting to regularly increase the cost of their ransom<\/a> in 2017.\u00a0Colorado and Atlanta have both had run-ins with SamSam recently, as you may have seen from ongoing news coverage.<\/p>\n

One would think SamSam has been around long enough for organizations to be able to deal with it effectively, but it’s still here, and still locking up machines in targeted attacks.<\/p>\n

You can trace SamSam’s first2018 appearance in back to January. There’s “persistent” and then there’s SamSam.<\/p>\n

January: Sorry, not sorry<\/h3>\n

Hospitals, city municipalities, and many more from Indiana to New Mexico were all struck down by SamSam<\/a>\u00a0in varying degrees of severity. A hospital in Indiana, in particular, was reduced to working with pen and paper in stormy weather. They decided to pay the ransom<\/a> and get systems back up and running, given the cost of the fix was more than the ransom. This is an organization that had backups in place, unlike many other ransomware victims. All the same, by attacking a service offering life-saving treatment to patients, staff were left with few options.<\/p>\n

Though you’ll find conflicting advice on paying the ransom, and while appreciating that every case is different, we generally advise not to do it. By handing over the cash, you’re giving the green light to the hackers to carry on doing it. If it works the first time, why not the second or third?<\/p>\n

This is the already fraught situation healthcare professionals and departments responsible for day-to-day management of city services find themselves in as we head into February.<\/p>\n

February: Slow traffic blues<\/h3>\n

In February, the Colorado Department of Transportation had to shut down 2,000 (non critical) systems<\/a> as they, too, were hit by a SamSam outbreak. Bitcoin was once again what the hackers were after; the CDT decided that they weren’t going to pay up<\/a>, but restore their backups instead.<\/p>\n

March: Atlanta ransomware resurgent<\/h3>\n

All of the worst problems of SamSam effectively rolled into one large pile of misery for the city of Atlanta, who had a serious case of the SamSam blues:<\/p>\n

\n

The City of Atlanta is currently experiencing outages on various customer facing applications, including some that customers may use to pay bills or access court-related information. We will post any updates as we receive them. pic.twitter.com\/kc51rojhBl<\/a><\/p>\n

\u2014 City of Atlanta, GA (@Cityofatlanta) March 22, 2018<\/a><\/p>\n<\/blockquote>\n

https:\/\/platform.twitter.com\/widgets.js<\/a><\/p>\n

They were faced with the prospect of paying $6,800 per machine to unlock the encrypted files, or a cool $51,000 to recover everything across all compromised computers. As to how the attackers got in, one researcher noted a potential EternalBlue route:<\/p>\n

\n

C’mon @Cityofatlanta<\/a>… SMBv1 open on web.atlantaga[.]gov to the internet? Have we learned nothing!?#ransomware<\/a> #Atlanta<\/a> pic.twitter.com\/t35SalTcEE<\/a><\/p>\n

\u2014 Reggie (@Ring0x0) March 23, 2018<\/a><\/p>\n<\/blockquote>\n

https:\/\/platform.twitter.com\/widgets.js<\/a><\/p>\n

Regardless of the method used, the big problem here is that 10 days after initial infection, they were still struggling to get back to full strength, with no less than five out of 13 departments hit in the original malware blast. Just like the Indiana hospital staff were forced to use pen and paper, so too were law enforcement in Atlanta\u2014and they also lost some police records<\/a> in the bargain.<\/p>\n

Note that three city council staffers had to work on a “clunky personal laptop.” So now we’re introducing personal machines onto a network dealing with potentially sensitive data, already hammered by opportunistic malware infections. One hopes that the machine had at least been checked for infections or potential vulnerabilities, but it would be surprising if the already busy IT staff checked if the employee had installed all security patches.<\/p>\n

You could say the ransom was “only” $51,000\u2014except the ransomware authors pulled the payment page and left Atlanta carrying the can. Ultimately, the SamSam outbreak cost the city of Atlanta a terrifying $2.6 million dollars<\/a> to set a $50k infection right.<\/p>\n

It isn’t just fixing some computers. There’s everything from forensics and insurance to extra staff and crisis comms to consider. This is the very real cost of attempting to recover from an infection\u2014and that’s while trying to offer public-facing services<\/a> potentially impacted by the attack.<\/p>\n

Fighting ransomware<\/h3>\n

Ransomware may be experiencing a drop in popularity<\/a> but make no mistake\u2014the impact can be horrendous. As a reminder, here are some ways local governments and other organizations can fend off these attacks:<\/p>\n