Cybercriminals group behind the SamSam Ransomware continuously targeting various organizations network which is located in different countries in order to encrypt the sensitive data.
This is one of the ransomware which is highly active in 2018 to break down the 67 different types of organization network across the world especially in the U.S.
Mainly targeting sectors are Healthcare, banking & finance, Insurance, utility and energy, Manufacturing, education, Public and Government sectors.
Attackers especially focus on healthcare sectors because there is a high possibility to pay the ransom amount since they need to deal with human lives and Healthcare network easily to infect.
Out of 67 main targetted attacks, 56 were located in the U.S. A small number of attacks were logged in Portugal, France, Australia, Ireland, and Israel.
Unlike other ransomware families, SamSam ransomware targeting only specific organization to gain the access by spending a lot of time to perform reconnaissance by mapping out the network before to proceed the encryption process.
Process of SamSam Ransomware Attack
Initial Stage of SamSam Ransomware attack carried out by a variety of sophisticated tools in order to infect as possible as an attacker can and take a lot more time to process the entire infection operation.
A method called living off the land (Attackers using legitimate tools to compromise the network) mainly used by SamSam ransomware.
This helps them to hide their malicious activities and let attack looks like a legitimate process to evade the detection.
According to the Symantec, The first sign of an intrusion came when the attackers downloaded several hacking tools onto a computer in the targeted organization. Ten minutes later, the attackers began running scripts in order to identify and scan other computers on the organization’s network.
Also, attackers using Microsoft Sysinternals tool called PsInfo to gathering information about the other computer in the network to identify the software that installed on the victim computer.
Also, this tool used to find the critical files in the infected computer and they are using other hacking tools called Mimikatz (Hacktool.Mimikatz) to steal the password from selected computers from the targeted network.
Attackers always having two different SamSam ransomware version in their hand to use it if any of the version detected by the security software.
SamSam continues to pose a grave threat to organizations in the U.S. The group is skilled and resourceful, capable of using tactics and tools more commonly seen in espionage attacks, researchers said.
You can also read the complete ransomware Attack Response and Mitigation Checklist to protect your network from future attacks.