Sergey Nivens - Fotolia

How is SamSam ransomware using a manual attack process?

Sophos researchers believe the SamSam ransomware campaign could be the work of one or a few threat actors using manual techniques. Learn how it works and if recovery is possible.

SamSam ransomware has apparently earned its perpetrators almost $6 million, and the campaign's pace is picking up. Sophos researchers believed that SamSam is the work of a single person using manual techniques. What are the advantages of using a manual attack process instead of phishing?

Operational security is hard, and enterprises are acutely aware of that. While attackers may not understand the importance of operational security until they are visited by law enforcement, one potential way for an attacker to improve operational security is to draw as little attention as possible to their activities to minimize the chances of being detected.

One way to do this is by not attacking indiscriminately and using a manual attack process as part of a targeted attack, including living off the land.

Two Iranians were indicted in November for SamSam attacks on over 200 victims, lending credence to the conjecture that a small group is behind the SamSam ransomware campaign.

The threat actors behind the SamSam ransomware seem to use publicly available data from Shodan or Censys to identify victims, and they appear to understand the advantages of using a manual attack process instead of phishing. The manual attack process enables threat actors to take additional steps to make their attacks successful.

A manual attack also enables the attacker to adapt to the security controls in an environment, so if brute-forcing a weak password doesn't work, an exploit for an unpatched vulnerability can be used to gain access. Once access is gained, attackers can take specific steps to make it more difficult to investigate the attack, such as removing the evidence of the intrusion by deleting logs. The attackers have even been reported to attempt to disrupt or delete backups in order to increase the likelihood of the victim paying the ransom.

Given the myriad ways that data can be backed up, it may be very difficult to automate that step effectively. Because a good backup is the most important step for recovery from ransomware, taking the extra step of disrupting backups could improve the effectiveness of an attack.

While all of these advantages don't necessarily mean that an attacker is unstoppable, it may make it difficult for an enterprise to stop a targeted attack.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing