This human-centered approach has proved successful, with the authors of SamSam ransomware collecting an estimated $6.5m over the course of almost three years. The attacks were more cat burglar in style – they strategically happened when victims were asleep, indicating that the attacker carries out reconnaissance on victims and carefully plans who, what, where and when attacks will happen. In these attacks, cybercriminals target weak entry points and brute-force Remote Desktop Protocol (RDP) passwords. Once in, they move laterally, working one step at a time to steal domain admin credentials, manipulate internal controls, disable back-ups and more to hand-deliver the ransomware. By the time most IT managers notice what’s happening, the damage is done. Other cybercriminals have taken note, and in 2019 we expect copycat attacks.
Based on Sophos’ research, we suspected this was a small group of people by the degree of operational security they employed. They were not braggarts or noisy on dark web forums as is typical of many amateurs. Some of the grammatical and punctuation tics Sophos saw may have been due to the threat actors’ not being native English speakers. Tehran’s time zone is GMT+3:30 and that may have been evident in the compile times of the malware samples we analyzed, and the threat actor’s “work hours” were consistent with this time zone. The Sophos SamSam report and 2019 Threat Report explain in detail how they operated with their attacks. Their TTP was unique and employed some very intriguing protection measures that evolved over time. Sadly, they have inspired a whole new generation of attacks that are using the same playbook against other large and mid-sized organizations. Sophos details immediate steps businesses need to take in its reports on SamSam and the SophosLabs 2019 Threat report, not only because these cybercriminals are still on the run, but because they have inspired others to follow in their footsteps.”
This goes to show that no amount of malicious code, covert operations and cryptocurrency puts a criminal beyond our ability to identify and bring forth charges for stealing and extorting money from innocent people. By identifying the Bitcoin wallets associated with this criminal activity they have essentially marked them as poison. Anyone who attempts to help launder those cryptocurrencies and assists in converting them to real money will be an accessory to the crimes alleged to have been committed.”