Secureworks Public Threat Analysis of SamSam Ransomware Campaigns


Secureworks‘ CTU researchers and Incident Response analysts have just published a new report detailing its findings about the SamSam Ransomware threat campaigns (which Secureworks calls GOLD LOWELL).  Secureworks has responded to multiple SamSam ransomware incidents in the past six months whereby the cyber criminals have  not just hijacked the data of healthcare organisations, but that of IT Software companies,  Waste Management Businesses,  Academic Organisations, Transportation Networks, Business Services Firms,  and most recently Leisure and Entertainment Businesses.

By analysing these incidents, Secureworks’ team members have uncovered many of the SamSam group’s intentions, tactics and behaviours including:

  • From reviewing linguistic errors in GOLD LOWELL’s ransom notes and transaction communications suggest that the threat actors are probably not native English speakers,  and the CTU believes the SamSam Ransomware threat group is  either a single group or a collection of closely affiliated threat actors.
  • The GOLD LOWELL (SamSam) actors will typically seek out vulnerable systems and protocols (such as RDP) connected to the internet and exploit them to gain a foothold in a victim’s network.
  • No Honor Amongst the SamSam Ransomware Thieves.  Secureworks have observed the SamSam Ransomware threat group  increasing the decryption cost once a victim pays the initial ransom.
  • The latest GOLD LOWELL campaign, which began in late December 2017and ran through mid- January 2018 generated at least USD $350,000 in revenue for the SamSam actors.
  • Once SamSam actors have access, they will  use publicly available tools (such Mimikatz) to steal high value usernames and passwords, and leverage custom scripts to survey the network and deploy Samsam ransomware to as many systems as possible.

Click here to read full report.