How Bitcoin and the Dark Web hide SamSam in plain sight – Naked Security


For two and a half years someone has terrorized organizations by penetrating their networks and infecting their computers with the devastating file encryption malware known as SamSam.

Attacks are regular, but rarer and more sophisticated than typical ransomware attacks, and extortion authors increase their five-digit ransom to nullify the damage they create.

Only this year's victims included the Allscripts doctor, Adams Memorial Hospital, the city of Atlanta, the Department of Transportation of Colorado and the Mississippi Valley State University.

By extracting a high ransom from a small number of victims reluctant to share news of their misfortune, SamSam's attackers remained ungraspable as they accumulated an estimated fortune of over $ 6 million. Details about the attacks, the victims, the methods used and the nature of the malware itself have been difficult to find.

Yet, throughout the mystery, some important aspects of SamSam's attacks take place in plain sight. [19659002] One of the ways that the man, woman or group behind SamSam gets access to their goals is via RDP (the Remote Desktop Protocol), a technology that companies put in place in so that employees can connect remotely. It is easy to find companies that use RDP with search engines like Shodan and weak passwords can be exposed with underground tools publicly available as nlbrute.

SamSam redeems victims of a Dark Web website where the victim can exchange messages with the pirate. The website and the conversation are discreet but they are not secret: anyone with the Tor Browser can visit the site and watch the conversation.

The redemption request also instructs the victims to buy bitcoins and use them to pay their attacker. Like all Bitcoin transactions, redemption payments take place in plain sight and cash inflows and outflows can be easily observed.

 SamSam redeems collection over time

So how is it that SamSam and other cyber criminals can operate openly, speak to victims on public websites and exchange money in beautiful view, and yet evade capture, and is there anything that can be done about it?


SamSam calls for the payment of ransoms in Bitcoin, the world's favorite cryptocurrency.

The trust that people have in Bitcoin derives from its reliability, which derives from the way it stores data in public, in a database called blockchain. Anyone can own a copy of the Bitcoin blockchain, free of charge, and anyone can view the transactions stored in it using software or websites such as

On the Bitcoin blockchain, users are represented by one or more addresses – strings of letters and numbers between 26 and 35 characters. Observers can see how much money has been sent from one address to another and when, but the Bitcoin blockcoin does not record who owns which address, or how many addresses they own.

SamSam has used Bitcoin since the malware first appeared. In the beginning, the addresses with which the ransoms were paid were changed regularly but, over time, they changed much less frequently.

There are limits to what a handful of bitcoins will bring you anyway, and sooner or later they have to be traded for something like money, goods or services, and this can create a link between a pseudonym Bitcoin address and a real person . Online currency exchanges can request an ID or register an IP address, for example, and goods purchased online must be delivered to an address.

Any such connection is obviously of enormous interest to the forces of order.

SamSam shows an awareness of these risks by using the so-called tumblers (a form of Bitcoin money laundering), and in the council the ransom notes offer victims how to buy bitcoins anonymously:

  We recommend you buy Bitcoin with cash deposit or WesternUnion from or because they do not need any verification and send your Bitcoin quickly. 

Bitcoin's transparency is its strength but it is also, increasingly, a weakness. Bitcoin's blockchain is the very definition of "Big Data" and as any regular Naked Security reader will tell you, large collections of anonymous data are often much more than the sum of their parts.

For his investigations on SamSam, Sophos has collaborated with Neutrino, a company specializing in crunching numbers into Big Data created by cryptocurrencies. Neutrino was able to validate suspicious SamSam transactions and identify many more SamSam payments than previously known, bringing Sophos to new victims and new insights into how attacks develop.

As a result of Neutrino's excavation, Sophos was able to revisit the previous best guess of how much money SamSam made – shifting the estimated total from about $ 1 to just over $ 6 million. Neutrino was also able to use information collected from previously unknown victims discovered through blockchain transactions to improve protection against the ransomware it provides.

And there is every reason to expect that further investigation will be possible in the future. Historical transactions are embedded in the Bitcoin blockchain forever, at the mercy of researchers and are not affected by improvements or improvements in the operational security of cybercriminals.

As an example of how far the Big Data analysis can be carried out, researchers have recently managed to remove the key privacy protections of Monero, a blockchain-based cryptocurrency designed to offer more anonymity than Bitcoin. .