Last month the world learned that the FBI thinks it has
identified the two people behind the notorious
SamSam ransomware attacks.
SamSam, you may recall, gained notoriety for plundering ransoms from vulnerable targets like hospitals, and for devastating attacks like the one that embattled the City of Atlanta in early 2018. As with other targeted attacks, SamSam was deployed manually after its operators had broken into a vulnerable network via a poorly-protected RDP port. The SamSam gang’s methodical and patient attacks put them in a position to extort enormous ransoms, and helped them accrue almost $7 million since December 2015. As you might expect, things have been a bit quiet from SamSam since the FBI’s indictment. The Iranian suspects are beyond the agency’s reach, but they have been identified, their operation has been compromised and, for the time being at least, activities have ceased. The unmasking followed a period of apparently diminishing returns for SamSam attacks. After the publication of
extensive research by Sophos in August, SamSam’s monthly earnings began to decline, even while the frequency of attacks seemed to increase. Now SamSam seems to have left the stage, but the brand of destructive, stealthy attacks it exemplified didn’t start with SamSam and they didn’t end with it either. In fact, while SamSam may have gained infamy, other kinds of targeted ransomware, like
Dharma and BitPaymer, have been deployed more widely, and demanded higher ransoms. The threat of targeted ransomware is undimmed, and continues to evolve. In August 2018, just as SamSam’s influence begun to diminish, a new strain of targeted ransomware appeared. Ryuk.
Ryuk, named after a character in the manga series Death Note, represents an evolution in ransomware that’s either learning from, building on, stealing from, or paying homage to the targeted malware that’s gone before. Targeted ransomware of all stripes seems to have converged on a method that, sadly, just works and Ryuk follows it too. The attackers:
- Enter the victim’s network via a weak RDP (Remote Desktop Protocol) password.
- Escalate their privileges until they’re an administrator.
- Uses their privileged position to overcome security software.
- Spread their ransomware as widely as possible before encrypting the victim’s files.
- Leave notes demanding payment in return for decrypting the files.
- Waits for the victim to contact them via email.
Hackers using targeted ransomware work hard to achieve administrator access because it allows their software to cause so much damage – enough that many victims have no option but to pay five- or six-figure ransoms.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}