Secureworks‘ CTU researchers and Incident Response analysts have just published a new report detailing its findings about the SamSam Ransomware threat campaigns (which Secureworks calls GOLD LOWELL). Secureworks has responded to multiple SamSam ransomware incidents in the past six months whereby the cyber criminals have not just hijacked the data of healthcare organisations, but that of IT Software companies, Waste Management Businesses, Academic Organisations, Transportation Networks, Business Services Firms, and most recently Leisure and Entertainment Businesses.
By analysing these incidents, Secureworks’ team members have uncovered many of the SamSam group’s intentions, tactics and behaviours including:
- From reviewing linguistic errors in GOLD LOWELL’s ransom notes and transaction communications suggest that the threat actors are probably not native English speakers, and the CTU believes the SamSam Ransomware threat group is either a single group or a collection of closely affiliated threat actors.
- The GOLD LOWELL (SamSam) actors will typically seek out vulnerable systems and protocols (such as RDP) connected to the internet and exploit them to gain a foothold in a victim’s network.
- No Honor Amongst the SamSam Ransomware Thieves. Secureworks have observed the SamSam Ransomware threat group increasing the decryption cost once a victim pays the initial ransom.
- The latest GOLD LOWELL campaign, which began in late December 2017and ran through mid- January 2018 generated at least USD $350,000 in revenue for the SamSam actors.
- Once SamSam actors have access, they will use publicly available tools (such Mimikatz) to steal high value usernames and passwords, and leverage custom scripts to survey the network and deploy Samsam ransomware to as many systems as possible.