State of the Union on Security: SamSam Attacks and the Need to Prioritize Risks, Pt. 2 of 3
This Part 2 blog post in a series of three posts recaps roughly the second third of the presentation that Chris Goettl, Ivanti’s director of Product Management for security solutions, presented at the recent IT Leadership Summit virtual event that’s available on demand. That presentation covered a number of trends being witnessed today, how you can go about strategizing a response, and ensuring a high level of security for your environments and prioritizing your efforts to maximize your effectiveness.
In part 1 of this blog series, State of the Union on Security: The Rise of Nation-State Activities, Pt. 1 of 3 discusses the rise of nation-state activities and a new evolution of cyber-attacks: the use of ransomware as a social and economic disrupter rather than a direct impact to attempt to get a payout.
The SamSam Ransomware Family
SamSam is also a fairly recent evolution in ransomware. It emerged onto the market only a couple of years ago and executing attacks have become very effective.
The SamSam ransomware family—and the threat group by the same name behind the scenes—are definitely more focused in their targets. They’re not out for mass-scale ransomware as a service trying to get any random payout. They single out their targets and are actively involved during an attack. They’ll break into and survey a victim’s network before deploying and running any ransomware. They also change their tactics during the attacks. If one approach doesn't seem to be working, they'll shift gears and employ other approaches to be able to maximize their effectiveness. And if security software stops the malware from running, they'll look for ways to disable that software.
Edge Servers of Infecting Servers
These threat groups have a history of infecting internet facing servers. In a few cases that have been detected so far, this would be a Redhat-based Java development environment called JBoss and RDP protocols that are often public facing in healthcare companies, where companies are letting either partners or clients into an RDP service that's public facing.
So, cyber-criminals will brute-force attack those RDP protocols, or they'll take advantage of a public-facing software exploit on a platform like JBoss. Traditionally, as you know, something like RDP sessions are often configured with weak passwords, so strengthening your password policies is one way to help mitigate how these guys are getting in.
But once they do get in, the level of sophistication is also alarming. They're using a combination of software vulnerabilities—different tools like Mimikatz that we discussed in Part 1—and other tools to be able to compromise credentials. And then they utilize existing security and operational tools within your environment—again, PsExec, WMIC, and other solutions. They've got a list of about 10 to 12 different tools either malicious in nature or existing in your environment, just needing a certain level of privilege to use in the different ways that they've been monitoring so far.
Another distinct difference between a SamSam attack and other Ransomware is that it’s not just automated software trying to exploit things based on certain algorithms. They will be active in an environment, change up tactics, and develop new ways around obstacles they encounter.
Not Looking for Individual System Payouts
What’s more, these guys aren’t looking to get individual system payouts. They’ll usually offer a per-machine-level payout, but they quickly get up into a site-wide decryption option, typically hitting around $50,000.
What they're really aiming for is six to eight attacks per month with payouts of $50,000 each. Since they surfaced a few years ago, they've made about $6 million in Bitcoin payouts and are averaging around $330,000 a month in successful ransoms paid out. Again, they'll get into an environment and they'll sneak around and distribute themselves very effectively across an environment before they actually launch the attack.
One particular event that happened not too long ago was an attack on a healthcare company. In the first 15 minutes before the attack was contained, ransomware infected and executed on nearly 9,000 systems. This is how they operate. They reach a critical mass before launching the ransomware, which makes them easily detected.
Attack on the City of Atlanta
Now, this particular SamSam ransomware family is what hit five departments in the City of Atlanta in March of this year. It was a very disruptive attack and relegated city officials to sharing old laptops that were pulled out of closets to try to get their work done.
Almost 30 percent of the systems that were impacted were vital, including court systems and police. The city department lost all but six of its computers and 10 years’ worth of documents. The police lost its dash cam recordings. Around 8,000 city employees weren’t able to use their PCs for several days.
The impact costs to the City of Atlanta were roughly $17 million and have risen since then. This number includes the hard costs of cleaning up that attack—around $2.6 million—that included bringing in external security services and online Emergency Services to replace disrupted services like police and 911, respectively, that needed to keep operating while their own services were down.
Now compare these costs of a SamSam attack against the costs of the NotPetya attack focused on Ukraine discussed in Part 1 in this blog series. If you look at headlines from that attack, the impact on the global shipping giant Maersk was running about $300 million in disrupted operations for just a two-week time span. FedEx experienced a very similar impact, upwards of $300 million. This is downtime due to damaged or lost data, business disruption, lost productivity, and the cost of forensic investigations conducted by both internal and external entities. And then there’s the restoration of operations, damaged reputation, stock prices, fines that might have occurred because of negligence in securing the environment, and so on.
How Do We Start Prioritizing Risks?
So, in talking about these types of threats, how do we start to talk about prioritizing risks? How do we try and identify what those risks are—some of the commonalities? What can we do to make ourselves more effective? Obviously, we can't solve every potential exploit; there is no 100-percent security. So, how do we focus on the right things to maximize our effectiveness?
So, known vulnerabilities are still the root cause of a lot of security breaches. Gartner predicts that 99 percent of the vulnerabilities exploited by the end of 2020 will continue to be the ones known by security and IT professionals at the time of the incident. Zero days happen, but they're not extremely common occurrences. Hackers are relying on security penetration skills. They’re developing the same skill sets as your own security teams and penetration testers. Their luxury is the fact that they can move faster than we can.
People, Your Weakest Link
According to the Verizon Data Breach Investigations Report, 90 percent of security incidents and breaches involve some level of phishing attempt. While more people are being educated, and fewer and fewer are clicking on things without first thinking, four percent of phishing campaign recipients will still click on any given campaign.
While education is important, and while spotting phishing tactics is critical, we must also worry about all of those other things behind the scenes. For example, according to the Verizon report, 49 percent of malware is installed via email. So that’s an area to focus on and ensure we have tactics to try to defend against those types of vulnerabilities—many of which are vulnerabilities in graphics rendering or in document types—software vulnerabilities that can be plugged.
And if we prioritize those and focus on the ones that are most at risk, we can help mitigate those impacts from hitting our environments.
Take a few minutes to read Part 3 in this blog series, plus learn more about how Endpoint Security solutions from Ivanti can help you mitigate up to 95 percent of cyber threats.