Behind the scenes of the SamSam investigation

Thursday 4 October 10:00 - 10:30, Green room

Peter Mackenzie (Sophos)
Andrew Brandt (Sophos)

In July, Sophos published a report about a particularly costly and damaging piece of ransomware that became known as SamSam, and its unusual behaviour and history. The criminals who deploy the SamSam ransomware employ a highly targeted and unusually hands-on approach to their attacks. As a result, while there have not been a large number of victims, the SamSam operators are extremely effective at convincing their victims to pay ransoms that are orders of magnitude more expensive than those of typical conventional ransomware campaigns. One of the main findings in the report - that the threat actors behind the SamSam ransomware have managed to reap at least US$6 million in ransoms in just over two years through a combination of persistence, careful targeting of victim organizations, and ruthlessness - was the result of significant gumshoe investigation work. This not only led to a significantly higher estimate of the total ransom earnings, but also to the discovery of many more victim organizations than we had previously believed SamSam had targeted, most of which have never made any public statement about the attack.

While the report discusses the broad strokes of our research process, this session will provide an in-depth look at how we conducted our investigation into SamSam. The project required simultaneous research on multiple fronts: reverse-engineering the malware and back-tracking through repositories to find the earliest known samples; interviewing and staying in contact with victims; trying to convince victims to help us understand the threat actor's TTP and share samples and information; and conducting open-source and proprietary searches to discover and track payments to SamSam's cryptocurrency wallets, in concert with other organizations.

The emergence of SamSam-like attack methodologies, which involve a combination of brute-force and exploit-driven break-ins, and the use of conventional sysadmin tools, reveals the significant vulnerability created when large organizations do not actively monitor their networks, or fail to respond promptly to the discovery of internal threats or suspicious activity. It is our hope that we can get the message out not only about the tactics, techniques and procedures these threat actors employ, but also about what potential victims can do to stay ahead of the next attack of this type.




Andrew Brandt

Andrew Brandt is a former investigative reporter turned network forensics investigator and malware analyst, who works as a principal researcher for SophosLabs. Brandt uses his knowledge about the behaviour of malicious software to profile identifiable characteristics of undesirable or criminal activity. His analysis techniques seek to determine general principles that can help analysts and defenders rapidly and comprehensively identify the root cause of infection and data loss, putting real-time network data analysis at the front line of prevention.



Related links

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.