Threat Intelligence Report: SamSam Ransomware

Date: 18th June 2019

Summary

“SamSam” is a ransomware strain used in targeted ransomware attacks. It has attacked a wide range of industries in the US, mainly critical infrastructure, such as hospitals and healthcare companies. Last year, the SamSam attack crippled the city of Atlanta for days and cost American taxpayers close to $17 million. Organisations in the UK, Canada and Middle East have also been targeted and the largest ransom reported to have been paid is $64,000.

The factor that distinguishes SamSam from other ransomware attacks which rely on phishing techniques for delivery, is that it uses Remote Desktop Protocol (RDP) to infect victim`s networks without user interaction.

One may perceive that SamSam has been around long enough for organisations to be able to deal with it efficiently, but it is being observed successfully infecting organisations in targeted attacks.

Conclusion

This threat is actively targeting organisations across the United States, United Kingdom, and Europe, giving relevance to many Invinsec customers.

The tactics and procedures have been modified over time to circumvent standard security practices, and notably this threat differs significantly from the bulk of ransomware because of active network exploitation as opposed to phishing with email delivery.

Good security hygiene, including regular vulnerability scanning & subsequent hardening, and account hardening will mitigate the risk of the current tactics being used.

Tactics, Techniques and Procedures

The actors exploit Remote Desktop Protocol (RDP) on Windows servers to gain persistent access to a victim’s network and then move laterally to infect all reachable hosts. Additionally, using the JexBoss Exploit Kit to access vulnerable JBoss applications. The initial RDP access is gained through brute forcing credentials.

After gaining access to a particular network, the SamSam actors escalate privileges to administrator rights and execute malware on the server. While many ransomware campaigns rely on a victim completing an action (such as opening an email or visiting a compromised website) RDP discreetly allows cyber actors to infect victims without user interaction.

SamSam actors leave ransom notes on encrypted computers. These instructions direct victims to establish contact through a Tor hidden service site.  After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network.

Ransomware sample note

Figure 2 shows what a typical ransom splash screen looks like.

Since its initial discovery there have been multiple variants of this ransomware so far with a different execution strategies and obfuscation techniques to hide itself from Anti-Virus and other static analysis tools, but the core file encryption routine has not changed greatly.

The following tools are used by the threat group:

  • Mimikats: A tool to extract passwords, Hash, PINs, and Kerberos tickets from memory
  • reGeorg: A reverse proxy / web shell script
  • PsExec: Used to launch interactive command prompts on remote systems
  • PsInfo: Used to gather information about local/remote systems
  • PaExec: An alternative for PsExec
  • RDPWrap: Allows console and remote RDP sessions at the same time.
  • NLBrute: An exploit tool for public-facing RDP instances
  • Impacket: A collection of Python classes that enable security teams to work with network protocols.
  • CSVDE: An active directory tool. Used to import or export entries from Lightweight Directory Access Protocol (LDAP).
  • PowerSploit: A collection of PowerShell scripts used for reconnaissance and persistence.

SamSam ransomware encrypts files that have the following extensions (although this extension list may be different in different variants of the ransomware):

“.jin”, “.xls”, “.xlsx”, “.pdf”, “.doc”, “.docx”, “.ppt”, “.pptx”, “.log”, “.txt”, “.gif”, “.png”, “.conf”, “.data”, “.dat”, “.dwg”, “.asp”, “.aspx”, “.html”, “.htm”, “.php”, “.jpg”, “.jsp”, “.js”, “.cnf”, “.cs”, “.vb”, “.vbs”, “.mdb”, “.mdf”, “.bak”, “.bkf”, “.java”, “.jar”, “.war”, “.pem”, “.pfx”, “.rtf”, “.pst”, “.dbx”, “.mp3”, “.mp4”, “.mpg”, “.bin”, “.nvram”, “.vmdk”, “.vmsd”, “.vmx”, “.vmxf”, “.vmsn”, “.vmem”, “.gz”, “.3dm”, “.3ds”, “.zip”, “.rar”, “.3fr”, “.3g2”, “.3gp”, “.3pr”, “.7z”, “.ab4”, “.accdb”, “.accde”, “.accdr”, “.accdt”, “.ach”, “.acr”, “.act”, “.adb”, “.ads”, “.agdl”, “.ai”, “.ait”, “.al”, “.apj”, “.arw”, “.asf”, “.asm”, “.asx”, “.avi”, “.awg”, “.back”, “.backup”, “.backupdb”, “.pbl”, “.bank”, “.bay”, “.bdb”, “.bgt”, “.bik”, “.bkp”, “.blend”, “.bpw”, “.c”, “.cdf”, “.cab”, “.chm”, “.cdr”, “.cdr3”, “.cdr4”, “.cdr5”, “.cdr6”, “.cdrw”, “.cdx”, “.ce1”, “.ce2”, “.cer”, “.cfp”, “.cgm”, “.cib”, “.class”, “.cls”, “.cmt”, “.cpi”, “.cpp”, “.cr2”, “.craw”, “.crt”, “.crw”, “.csh”, “.csl”, “.csv”, “.dac”, “.db”, “.db3”, “.dbf”, “.db-journal”, “.dc2”, “.dcr”, “.dcs”, “.ddd”, “.ddoc”, “.ddrw”, “.dds”, “.der”, “.des”, “.design”, “.dgc”, “.djvu”, “.dng”, “.dot”, “.docm”, “.dotm”, “.dotx”, “.drf”, “.drw”, “.dtd”, “.dxb”, “.dxf”, “.jse”, “.dxg”, “.eml”, “.eps”, “.erbsql”, “.erf”, “.exf”, “.fdb”, “.ffd”, “.fff”, “.fh”, “.fmb”, “.fhd”, “.fla”, “.flac”, “.flv”, “.fpx”, “.fxg”, “.gray”, “.grey”, “.gry”, “.h”, “.hbk”, “.hpp”, “.ibank”, “.ibd”, “.ibz”, “.idx”, “.iif”, “.iiq”, “.tib”, “.incpas”, “.indd”, “.jpe”, “.jpeg”, “.kc2”, “.kdbx”, “.kdc”, “.key”, “.kpdx”, “.lua”, “.m”, “.m4v”, “.max”, “.mdc”, “.mef”, “.mfw”, “.mmw”, “.moneywell”, “.mos”, “.mov”, “.mrw”, “.msg”, “.myd”, “.nd”, “.ndd”, “.nef”, “.nk2”, “.nop”, “.nrw”, “.ns2”, “.ns3”, “.ns4”, “.nsd”, “.nsf”, “.nsg”, “.nsh”, “.nwb”, “.nx2”, “.nxl”, “.nyf”, “.oab”, “.obj”, “.odb”, “.odc”, “.odf”, “.odg”, “.odm”, “.odp”, “.ods”, “.odt”, “.oil”, “.orf”, “.ost”, “.otg”, “.oth”, “.otp”, “.ots”, “.ott”, “.p12”, “.p7b”, “.p7c”, “.pab”, “.pages”, “.pas”, “.pat”, “.pcd”, “.pct”, “.pdb”, “.pdd”, “.pef”, “.pl”, “.plc”, “.pot”, “.potm”, “.potx”, “.ppam”, “.pps”, “.ppsm”, “.ppsx”, “.pptm”, “.prf”, “.ps”, “.psafe3”, “.psd”, “.pspimage”, “.ptx”, “.py”, “.qba”, “.qbb”, “.qbm”, “.qbr”, “.qbw”, “.qbx”, “.qby”, “.r3d”, “.raf”, “.rat”, “.raw”, “.rdb”, “.rm”, “.rw2”, “.rwl”, “.rwz”, “.s3db”, “.sas7bdat”, “.say”, “.sd0”, “.sda”, “.sdf”, “.sldm”, “.sldx”, “.sql”, “.sqlite”, “.sqlite3”, “.sqlitedb”, “.sr2”, “.srf”, “.srt”, “.srw”, “.st4”, “.st5”, “.st6”, “.st7”, “.st8”, “.std”, “.sti”, “.stw”, “.stx”, “.svg”, “.swf”, “.sxc”, “.sxd”, “.sxg”, “.sxi”, “.sxi”, “.sxm”, “.sxw”, “.tex”, “.tga”, “.thm”, “.tlg”, “.vob”, “.wallet”, “.wav”, “.wb2”, “.wmv”, “.wpd”, “.wps”, “.x11”, “.x3f”, “.xis”, “.xla”, “.xlam”, “.xlk”, “.xlm”, “.xlr”, “.xlsb”, “.xlsm”, “.xlt”, “.xltm”, “.xltx”, “.xlw”, “.ycbcra”, “.yuv”

Figure 3 – Different file extensions which can be encrypted by SamSam Ransomware.

Once the attacker is logged into the system, several files are dropped. The payload is encrypted in an archive to avoid anti-virus detection.

A runner is used to open the stubbin archive using command line arguments including the attacker’s decryption key. The decrypted contents are used to build the malware payload which is obfuscated using DES encryption.

Figure 4 – File chain to produce malware

Once the first computer is brute forced and infected the malware will automatically propagate across the network to other systems. Once a network is breached by the attackers it will infect all other computers and wait dormant until activated by the attackers.

Indicators of Compromise

File Type MD5 SHA-1 SHA-256 File Name
Win32 EXE 222d7fde37ae344824a97087d473cdcd 90205a2761ed7ac3b188230786ec2bebd30effba 5d65ebdde1aef8f23114f95454287e7410965288f144d880ece2a2b8c3128645 prelecturedexe.exe
Encrypted Archive 9202651c295369eb01cc7a10cd59adff ff2f511009b2813af9d12c6103206828560869db 594b9b42a2d7ae71ef08795fca19d027135d86e82bc0d354d18bfd766ec2424c ss2.stubbin
Win32 EXE a14ea969014b1145382ffcd508d10156 ff6aa732320d21697024994944cf66f7c553c9cd 0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac samsam.exe 8.exe a.exe
Win32 DLL 76bd79f774ae892fd6a30b6463050a91 4d7a60bd1fb3677a553f26d95430c107c8485129 9b23bfc35b18ed80104c496b2aa722b3e56ff9ceb9dae60d1aff7230321c1d12 ClassLibrary1.dll

Advice

Invinsec recommends the following activities:

  • Perform regular external vulnerability scanning to identify misconfigurations and verify that the subsequent steps remain in place
  • Disable unnecessary use of Remote Desktop Services on Windows hosts
  • Use Virtual Private Networks to internally administer hosts on remote networks and cloud services
  • Verify that perimeter firewalls and cloud services deny TCP/3389 inbound from the internet
  • Harden accounts by using:
    • strong passwords
    • account lockout policies
    • two-factor authentication
    • non default administrator account names
  • Back up critical data regularly
  • Use up to date antivirus, employing dynamic file analysis

Leave a Reply