SamSam: The (Almost) Six Million Dollar Malware presented at SAINTCONUtah 2018

by Andrew Brandt,

Summary : When news first started to break about a ransomware infection named SamSam, it focused on the high-profile victims, and not so much on the ransomware itself or its operations. Large organizations in the public, healthcare, and education sector, like the City of Atlanta, Adams Memorial Hospital, or Missippippi Valley State University, released breach notifications and information about the ransomware attacks, including how much ransom they paid. In fact, those three sectors of the economy account for only 48% of all victims, fewer than half of the total. Other businesses in the private sector, by comparison, have not made any SamSam-related breach disclosures, though as a result of the research we will present in this talk, we know they comprise 52% of the victim organizations. SamSam came to our attention soon after its appearance. We quickly realized the threat posed by this ransomware was compounded with the single-minded attention of an active attacker who fought hard to bypass multiple layers of network and endpoint security until they succeeded, and then waited until the wee hours in the victims' time zone to begin what turned into an expensive night for the victims. In this talk, we will discuss the stages of a SamSam attack, dissect the malware's quirky behavioral characteristics and evolution, and present our profile of a focused, determined, and slightly paranoid threat actor who learns from mistakes and increasingly builds opsec into each subsequent attack. To track the victims' assets, we engaged a third party who specialize in bitcoin tracking, and discovered a trove of cryptocurrency wallets which, in turn, led to still more victims.