SamSam Ransomware Advisory & Summary

Dec 25, 2018

SamSam Ransomware Advisory & Summary Image

SamSam ransomware, also known as MSIL/SAMAS.A or SamsamCrypt is associated with a bad actor named GOLD LOWELL, or a group named Ransom.SamSam. This group prides itself on targeting specific organizations, infecting numerous machines and making SamSam appear like a legitimate process. This allows the SamSam infection to hide in plain sight and avoid triggering any alarms.

SamSam ransomware first appeared in the wild in 2015 and was rated as a low-profile risk. It is now considered a current threat and a high risk to your company. SamSam has been in the news often in 2018 having infected Allscripts, City of Atlanta, Colorado Dept. of Transportation, etc. There is an increasing number of SamSam attacks, and recommendations from Homeland Security, FBI, US-Cert, and others that organizations be on the alert and be vigilant in patching vulnerabilities and baselining their environment.

Often, a ransomware breach begins through a bad actor exploiting an unpatched vulnerability such as SMBv1 (Eternal Blue) or malicious email link or attachment.  In 2018, reported SamSam attacks targeted JBoss host servers, remote desktop protocols (RDP), Java-based web servers, and file transfer protocol (FTP) servers and others. The noted attacks attempted to gain access to victims’ network through brute force (against weak passwords). SamSam is manually deployed and monitored by the bad actor (someone on the other end of the keyboard). SamSam bad actors are performing due diligence and reconnaissance, in a low and slow manner, mapping out a company’s network and infrastructure and identifying vulnerabilities to exploit and how to pivot and spread throughout the network.

SamSam makes use of common system administration and penetration testing tools such as Mimikatz (credential harvesting) and Sysinternals (Microsoft) tools like PSexec (shell launching) and PSinfo (info gathering). Since SamSam is designed to leverage these conventional tools, alarms are not triggered by resulting tool use.

SamSam targets an organization’s valuable files (documents, data, etc.) and also the corresponding configuration files, such as for Microsoft Office.  In some SamSam infections, two different SamSam versions were installed to ensure that if one were detected by the AV or EDR the other would still be installed and able to be manipulated by the bad actor.

Known Samples or Examples

BAT/RansRun.A!tr MSIL/Generic.AP.64370!tr Ransom!tr W32/Agent.PCS!tr.spy W32/MSIL.FZK!tr W32/Samas.A!tr
BAT/Starter.B!tr MSIL/Generic.AP.70DAA!tr Ransomware.FDL!tr W32/Agent.SFI!tr W32/MSIL.FZL!tr W32/Samas.AB!tr
Generik.DHAHMQP!tr MSIL/Generic.AP.A8642!tr Ransomware.FHD!tr W32/Agent.XN!tr W32/MSIL.GJR!tr W32/Samas.AR!tr
Generik.FIXATIN!tr MSIL/Generic.AP.FC7CE!tr Ransomware.SAMAS!tr W32/DELETER.SEA!tr W32/MSIL.GWZ!tr W32/Samas.C!tr
MSIL/Agent!tr MSIL/Injector.JAX!tr Trojan.FLLL!tr W32/Deshacop.BMV!tr W32/MSIL.LGF!tr W32/Samas.F!tr
MSIL/Filecoder.AR!tr MSIL/KillFiles.Y!tr Trojan.FNEY!tr W32/Generic.A!tr W32/MSIL.LGG!tr W32/STUBDCRYP.A!tr
MSIL/Filecoder_Samas.A!tr MSIL/Kryptik.BV!tr Trojan.I!tr W32/Generik.BV!tr W32/RansmSam.A!tr W32/Tpyn.A!tr
MSIL/Filecoder_Samas.B!tr MSIL/Kryptik.BW!tr Trojan.O!tr W32/Generik.BW!tr W32/Ransom.DSR!tr W32/Tpyn.CHU!tr
MSIL/Generic.AP.11FED6!tr MSIL/Ransomware.FHD!tr Trojan.SAMAS!tr W32/Kryptik.BV W32/Ransom.EWU!tr W32/Tpyn.SAMAS!tr
MSIL/Generic.AP.5AC80!tr MSIL/Samas.B!tr W32/Agent.B!tr W32/Mimikatz.A!tr W32/RUNNER.GBB!tr

Mitigation & Recommendations

The protection measures below for SamSam and its variations aren’t new. However, with associated infections on the rise, organizations are at an increased risk. Preparing a ransomware response, culture, and implementing the necessary operational controls are highly recommended.

  1. Patch and manage your vulnerabilities: Update your software, devices, and applications, don’t procrastinate on critical and high-risk vulnerabilities.
  2. Develop and Monitor Your Baseline: Establish a baseline for the network, administrative traffic, and other activities and monitor for anomalies and deviations.
  3. Perform regular backups: Backing up critical data is vital; as one effective ransomware response is replacing compromised systems with clean replacements and not paying the ransom.
  4. Access Management: Use RBAC, separation of duties, least privilege as well as the incorporation of authentication controls (2FA, Tokens, SSO)
    • Regulate RDP use – if not needed, disallow it.
  5. Network Segmentation: Identify and isolate critical assets and devices and build in high availability, develop secure access channels.
  6. Endpoint & Network Detection: Signatures exist for SamSam and its variants and can be detected and mitigated.

We recommend reading other SamSam advisories and whitepapers by NCCIC, US-Cert, Sophos, Symantec, Malwarebytes, Fortinet, SecureWorks, SCMagazine, MSSPalert, to become more familiar with this threat.