Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic, Web
  • Last Updated: 2018-12-13
  • Author: Rico Valdez, Splunk
  • ID: c4b89506-fbcf-4cb7-bfd6-527e54789604

Narrative

The first version of the SamSam ransomware (a.k.a. Samas or SamsamCrypt) was launched in 2015 by a group of Iranian threat actors. The malicious software has affected and continues to affect thousands of victims and has raised almost $6M in ransom.
Although categorized under the heading of ransomware, SamSam campaigns have some importance distinguishing characteristics. Most notable is the fact that conventional ransomware is a numbers game. Perpetrators use a “spray-and-pray” approach with phishing campaigns or other mechanisms, charging a small ransom (typically under $1,000). The goal is to find a large number of victims willing to pay these mini-ransoms, adding up to a lucrative payday. They use relatively simple methods for infecting systems.
SamSam attacks are different beasts. They have become progressively more targeted and skillful than typical ransomware attacks. First, malicious actors break into a victim’s network, surveil it, then run the malware manually. The attacks are tailored to cause maximum damage and the threat actors usually demand amounts in the tens of thousands of dollars.
In a typical attack on one large healthcare organization in 2018, the company ended up paying a ransom of four Bitcoins, then worth $56,707. Reports showed that access to the company’s files was restored within two hours of paying the sum.
According to Sophos, SamSam previously leveraged RDP to gain access to targeted networks via brute force. SamSam is not spread automatically, like other malware. It requires skill because it forces the attacker to adapt their tactics to the individual environment. Next, the actors escalate their privileges to admin level. They scan the networks for worthy targets, using conventional tools, such as PsExec or PaExec, to deploy/execute, quickly encrypting files.
This Analytic Story includes searches designed to help detect and investigate signs of the SamSam ransomware, such as the creation of fileswrites to system32, writes with tell-tale extensions, batch files written to system32, and evidence of brute-force attacks via RDP.

Detections

Name Technique Type
Attacker Tools On Endpoint Match Legitimate Name or Location, Active Scanning, OS Credential Dumping TTP
Batch File Write to System32 Malicious File TTP
Common Ransomware Extensions Data Destruction Hunting
Common Ransomware Notes Data Destruction Hunting
Deleting Shadow Copies Inhibit System Recovery TTP
Detect PsExec With accepteula Flag SMB/Windows Admin Shares TTP
Detect Renamed PSExec Service Execution Hunting
Detect attackers scanning for vulnerable JBoss servers System Information Discovery TTP
Detect malicious requests to exploit JBoss servers   TTP
File with Samsam Extension   TTP
Remote Desktop Network Bruteforce Remote Desktop Protocol TTP
Remote Desktop Network Traffic Remote Desktop Protocol Anomaly
Samsam Test File Write Data Encrypted for Impact TTP
Spike in File Writes   Anomaly

Reference

source | version: 1