Sophos whitepaper reveals SamSam ransomware

Sophos whitepaper reveals SamSam ransomware
6 years ago

Ransomware is universal and one of the greatest threats in cybersecurity currently. Extensive research by Sophos has uncovered a trove of new information on the notorious SamSam ransomware that has affected far more victims than previously thought, and raised vastly more in ransom demands – almost $6 million.

Most ransomware is spread in large, noisy and untargeted spam campaigns sent to thousands, or even hundreds of thousands, of people. They use simple techniques to infect victims and aim to raise money through large numbers of relatively small ransoms of perhaps a few hundred dollars each.

What sets SamSam apart from most other ransomware is that its use in targeted attacks by a skilled team or individual, who breaks into a victim’s network, surveils it and then runs the malware manually. The attacks are tailored to cause maximum damage and ransom demands are measured in the tens of thousands of dollars. The attack method is surprisingly manual, and more cat burglar than smash-and-grab. As a result, the attacker can employ countermeasures (if needed), and is surprisingly adept at evading many security tools. If the process of encrypting data is interrupted, then the malware comprehensively deletes all trace of itself immediately, to hinder investigation.

SamSam is a particularly thorough encryption tool, rendering not only work data files unusable but any program that isn’t essential to the operation of a Windows computer, most of which are not routinely backed up. Recovery may require reimaging and/or reinstalling software as well as restoring backups. The attacker is very good at covering their tracks and appears to be growing increasingly paranoid (or experienced) as time passes, gradually adding more security features into his tools and websites.