First emerging in late 2015, the group believed to be responsible for the SamSam ransomware family has targeted small and large businesses, healthcare, governments, and education.
Over time, the ransom prices set by this group have changed some, but they’ve remained consistent when it comes to general affordability, which is why many victims have paid. To date, the group has made nearly $850,000 USD.
This somewhat shocking figure is based on current value of Bitcoin (BTC), which was $8,620.22 at the time this story was written. However, because the market is constantly changing, the actual value of the ransoms paid will go up or down, as the final value is determined on the rate at cash-out.
Also, this figure is based on the previously known SamSam wallet (used during the Allscripts attack in January) and the wallet used in their most recent attack against the City of Atlanta.
Still, the fact the group behind SamSam has collected any ransom at all, let alone 98.5 BTC, tells an interesting story about the balance between security and business.
When victims of ransomware pay the ransom, most people assume it’s because they didn’t have proper backups, or the backups themselves were either outdated or corrupt. You’ll see pundits mention this in the media or on stage at security conferences year-round.
Thing is, what most pundits aren’t talking about – a dirty secret for some in the security industry – is that sometimes it’s cheaper and quicker to pay during a ransomware attack.
You shouldn’t pay the ransom:
Paying the ransom during a ransomware attack is a bad idea. Doing so will only keep the ransomware marketplace alive and thriving.
Ransomware is a numbers game to criminals. For the most part, they’ll infect as many systems and individual organizations as possible, and if only a fraction of them pay, it’s pure profit.
In fact, based on a recent Symantec report, the cost of a ransomware toolkit is about $450 USD, while the average ransom price in 2017 was $522 USD. So, if just one victim pays, the rest are nothing but icing on the cake.
But that isn’t the case for all ransomware families, particularly SamSam.
SamSam is different:
The group behind SamSam are opportunistic.
When the group was first detected by the wider security industry in late 2015, they were targeting vulnerabilities in JBoss, hitting organizations in the education and healthcare sectors. Later, the group moved on to target single-factor external access such as RDP or VPN, as well as vulnerable FTP platforms, and Microsoft’s IIS.
Considering their latest victim, the City of Atlanta, the group behind SamSam had a number of available access points to choose from.
The city has RDP exposed to the public, as well as VPN gateways, FTP servers, and IIS installations. Most of them have SMBv1 enabled, making the task of spreading the ransomware easier.
Note: Salted Hash has done some research on SamSam in relation to another victim of theirs, Allscripts. We’ll be posting about that during the RSA Conference in April, so stay tuned.
Maybe you should pay the ransom:
If you suggest to a security professional that you should pay the ransom in the event of a ransomware attack, you’ll usually get one of two reactions.
The first, rage and refusal (‘that’s a dumb idea!’), is the most common. The second, a twitch of the eye and a hesitant ‘you really shouldn’t, but okay’ is uncommon, but happens because while they might not like it, they understand.
After an incident, security is about getting back to business. But if this involves paying a ransom, it is an ugly, distasteful process. It feels like you’re losing, or that you’ve somehow failed. But that isn’t it at all. It’s just how business is done sometimes.
The group behind SamSam knows this, which is why they price their ransoms in a way that almost ensures their victims can pay. In fact, they profile most victims before the ransomware is launched. Not only do they know who they’re targeting, they know what they can afford.
In January, Hancock Health CEO Steve Long, speaking to reporters after dealing with a SamSam attack, said that restoring systems from backups could have taken days or maybe weeks to accomplish.
So, the cost of recovery, versus the ransom itself ($50-55,000 USD) required that the incident be viewed with a business perspective – fiscally it made sense to pay. And that’s just what Hancock Health did.
“These folks have an interesting business model. They make it just easy enough [to pay the ransom],” Long told the Greenfield Reporter. “They price it right.”
Speaking to the Indianapolis Star, Hancock Health’s Rob Matt, the senior vice president and chief strategy officer, said it wasn’t an easy decision to pay, but the “amount of the ransom was reasonable in respect to the cost of continuing down time and not being able to care for patients.”
Another thing the group behind SamSam have going for them is an established track record. They have a reputation for being honest, or at least as honest as you can expect when dealing with criminals. If you pay, you will get your files back.
It’s just good business on their end, as proven recovery with payment only encourages other victims to pay.
One incident at a time:
Ultimately, the decision to pay during a ransomware attack will depend on a number of factors and will happen on a case-by-case basis.
However, ransomware is a threat that isn’t going away. Not any time soon.
Gone are the days when the answer to a ransomware attack was as simple as current, tested backups. That might work in some cases, but groups like the one responsible for SamSam are the future and backups alone won’t save you.
This group knows how to apply just the right amount of pain, targeting critical systems and services that can’t wait for backups, often forcing the victim to payout.
This isn’t to say that backups aren’t important tools when dealing with ransomware, they absolutely are. You just can’t rely on them as a silver bullet, especially when the business can’t wait.
If the CFO, CEO, COO, or board of directors decide to pay the ransom over the objections of those in IT or security, that’s exactly what’s going to happen and there isn’t anything you can do to stop it.
You just have to live with that call and move on.
However, no matter what, in addition to backups, some of the critical elements in a SamSam attack center on vulnerabilities, user permissions, and a lack of multi-factor authentication.
How many users in your organization are local administrators? Do they need to be?
Do you use multi-factor authentication across the entire company? If not, why is that?
How quickly are systems patched once an update is released?
The group behind SamSam will target all of these elements, and considering they’ve nearly cleared one-million dollars since December 2017, they’re really good at what they do.