forked from sar2901/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathransomware_samsam.yml
56 lines (51 loc) · 2.98 KB
/
ransomware_samsam.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
name: SamSam Ransomware
id: c4b89506-fbcf-4cb7-bfd6-527e54789604
version: 1
date: '2018-12-13'
author: Rico Valdez, Splunk
description: Leverage searches that allow you to detect and investigate unusual activities
that might relate to the SamSam ransomware, including looking for file writes associated
with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware
extensions, suspicious psexec use, and more.
narrative: 'The first version of the SamSam ransomware (a.k.a. Samas or SamsamCrypt)
was launched in 2015 by a group of Iranian threat actors. The malicious software
has affected and continues to affect thousands of victims and has raised almost
$6M in ransom.\
Although categorized under the heading of ransomware, SamSam campaigns have some
importance distinguishing characteristics. Most notable is the fact that conventional
ransomware is a numbers game. Perpetrators use a "spray-and-pray" approach with
phishing campaigns or other mechanisms, charging a small ransom (typically under
$1,000). The goal is to find a large number of victims willing to pay these mini-ransoms,
adding up to a lucrative payday. They use relatively simple methods for infecting
systems.\
SamSam attacks are different beasts. They have become progressively more targeted
and skillful than typical ransomware attacks. First, malicious actors break into
a victim''s network, surveil it, then run the malware manually. The attacks are
tailored to cause maximum damage and the threat actors usually demand amounts in
the tens of thousands of dollars.\
In a typical attack on one large healthcare organization in 2018, the company ended
up paying a ransom of four Bitcoins, then worth $56,707. Reports showed that access
to the company''s files was restored within two hours of paying the sum.\
According to Sophos, SamSam previously leveraged RDP to gain access to targeted
networks via brute force. SamSam is not spread automatically, like other malware.
It requires skill because it forces the attacker to adapt their tactics to the individual
environment. Next, the actors escalate their privileges to admin level. They scan
the networks for worthy targets, using conventional tools, such as PsExec or PaExec,
to deploy/execute, quickly encrypting files.\
This Analytic Story includes searches designed to help detect and investigate signs
of the SamSam ransomware, such as the creation of fileswrites to system32, writes
with tell-tale extensions, batch files written to system32, and evidence of brute-force
attacks via RDP.'
references:
- https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/
- https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/
- https://thehackernews.com/2018/07/samsam-ransomware-attacks.html
tags:
analytic_story: SamSam Ransomware
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection