SamSam ransomware now targets whole companies.
The latest version of SamSam ditch widespread spam for targeted, company wide attacks. SamSam operators are now sending thousands of copies of the ransomware at once into individual organizations, each of which has been carefully selected. SamSam uses various vulnerability exploits rather than phishing and spam to gain access to a victim company's network. it also uses brute-force tactics against weak Remote Desktop Protocol passwords. After gaining a foothold, SamSam follows its known pathology, seeking out additional victims via network-mapping and stealing credentials, a tactic that Cisco Talos analysts noticed back in January. Once the potential targets are discovered, the attackers manually deploy SamSam on the selected systems, using tools like PSEXEC and batch scripts. After they've infected a target company and saturated it with the malware, The attackers offer a volume discount to clean all of those machines. The volume discount is about $45,000 worth of Bitcoin at current exchange rates. If companies don't want the volume discount, they can pay per host, restoring select machines by sending the specific host names to the operators.
As far as how much the SamSam gang is making, Talos reported that a SamSam affiliated Bitcoin wallet address in January had received 30.4 BTC. A second address, active from mid-January, has received 23 payments as of April. Between the two, the criminals have raked in a total income of 68.1 Bitcoin to date, which works out to about $632,199 at the latest exchange rate. Taking recommended security measures like patching, segmenting the network, having backups in place and enforcing policy on privileged account access can all help protect against SamSam. Companies should take the time to build a ransomware plan, because the stakes are high. While they shouldn't pay the ransom, victims are sure to pay in one way or another. The city of Atlanta, a recent SamSam victim, spent $2.7 million to security firms and consultants to help it get its machines and data back. The attack caused a complete shutdown for days at the Georgia capital's online systems, which support the police department, city courts, parts of the airport and more. Attackers wanted the city to pay $6,800 to unlock each computer, which came out to $51,000 for all of the needed keys. The city declined to pay. The event was costly, and some systems are still inaccessible, according to reports.