For two and a half years someone has terrorized organizations by penetrating their networks and infecting their computers with the devastating file encryption malware known as SamSam.
Attacks are regular, but rarer and more sophisticated than typical ransomware attacks, and extortion authors increase their five-digit ransom to nullify the damage they create.
Only this year's victims included the Allscripts doctor, Adams Memorial Hospital, the city of Atlanta, the Department of Transportation of Colorado and the Mississippi Valley State University.
By extracting a high ransom from a small number of victims reluctant to share news of their misfortune, SamSam's attackers remained ungraspable as they accumulated an estimated fortune of over $ 6 million. Details about the attacks, the victims, the methods used and the nature of the malware itself have been difficult to find.
Yet, throughout the mystery, some important aspects of SamSam's attacks take place in plain sight.  One of the ways that the man, woman or group behind SamSam gets access to their goals is via RDP (the Remote Desktop Protocol), a technology that companies put in place in so that employees can connect remotely. It is easy to find companies that use RDP with search engines like Shodan and weak passwords can be exposed with underground tools publicly available as nlbrute.
SamSam redeems victims of a Dark Web website where the victim can exchange messages with the pirate. The website and the conversation are discreet but they are not secret: anyone with the Tor Browser can visit the site and watch the conversation.
The redemption request also instructs the victims to buy bitcoins and use them to pay their attacker. Like all Bitcoin transactions, redemption payments take place in plain sight and cash inflows and outflows can be easily observed.
So how is it that SamSam and other cyber criminals can operate openly, speak to victims on public websites and exchange money in beautiful view, and yet evade capture, and is there anything that can be done about it?
SamSam calls for the payment of ransoms in Bitcoin, the world's favorite cryptocurrency.
The trust that people have in Bitcoin derives from its reliability, which derives from the way it stores data in public, in a database called blockchain. Anyone can own a copy of the Bitcoin blockchain, free of charge, and anyone can view the transactions stored in it using software or websites such as blockchain.com.
On the Bitcoin blockchain, users are represented by one or more addresses – strings of letters and numbers between 26 and 35 characters. Observers can see how much money has been sent from one address to another and when, but the Bitcoin blockcoin does not record who owns which address, or how many addresses they own.
SamSam has used Bitcoin since the malware first appeared. In the beginning, the addresses with which the ransoms were paid were changed regularly but, over time, they changed much less frequently.
There are limits to what a handful of bitcoins will bring you anyway, and sooner or later they have to be traded for something like money, goods or services, and this can create a link between a pseudonym Bitcoin address and a real person . Online currency exchanges can request an ID or register an IP address, for example, and goods purchased online must be delivered to an address.
Any such connection is obviously of enormous interest to the forces of order.
SamSam shows an awareness of these risks by using the so-called tumblers (a form of Bitcoin money laundering), and in the council the ransom notes offer victims how to buy bitcoins anonymously:
We recommend you buy Bitcoin with cash deposit or WesternUnion from https://localbitcoins.com or https://coincafe.com/buybitcoinswestern.php because they do not need any verification and send your Bitcoin quickly.
Bitcoin's transparency is its strength but it is also, increasingly, a weakness. Bitcoin's blockchain is the very definition of "Big Data" and as any regular Naked Security reader will tell you, large collections of anonymous data are often much more than the sum of their parts.
For his investigations on SamSam, Sophos has collaborated with Neutrino, a company specializing in crunching numbers into Big Data created by cryptocurrencies. Neutrino was able to validate suspicious SamSam transactions and identify many more SamSam payments than previously known, bringing Sophos to new victims and new insights into how attacks develop.
As a result of Neutrino's excavation, Sophos was able to revisit the previous best guess of how much money SamSam made – shifting the estimated total from about $ 1 to just over $ 6 million. Neutrino was also able to use information collected from previously unknown victims discovered through blockchain transactions to improve protection against the ransomware it provides.
And there is every reason to expect that further investigation will be possible in the future. Historical transactions are embedded in the Bitcoin blockchain forever, at the mercy of researchers and are not affected by improvements or improvements in the operational security of cybercriminals.
As an example of how far the Big Data analysis can be carried out, researchers have recently managed to remove the key privacy protections of Monero, a blockchain-based cryptocurrency designed to offer more anonymity than Bitcoin. .
One thing is to look at the money flowing from the victim to the attacker in broad daylight, another to watch them as they speak.
SamSam victims are referred via their ransom notes to Web sites where they can request the software needed to decrypt their computers. In addition to deciphering all their computers for full five-digit ransom, victims are also offered a number of alternatives:
- Any file can be decrypted for free to try decryption.
- Any computer can be decrypted if the attacker deems it irrelevant.
- A computer can be decrypted by 0.8 BTC (as of June 2018).
- Half of the computers can be decrypted half of the ransom.
The SamSam band and its victims can navigate through these options and even solve technical problems with the decryption process, leaving messages for each other on the website.
Initially, SamSam used the web equivalent of "burner" phones – single-use websites on anonyme.com or wordpress.com, but within a few months, malware had shifted to the relative safety of a website that ran on a hidden service on the Tor network, or, as everyone knows, the Dark Web.
Victims are told to pay the ransom, install Tor Browser (a modified version of Firefox that allows them to navigate to hidden services ), then visit the website and request the decryption software.
With the Tor browser installed, visiting the SamSam website is no different than visiting any other site beyond to its service address hidden from the particular aspect – a string of 16 characters of letters and numbers ending in
What makes the Dark Web obscure, and so useful for cybercriminals, is that it uses cryptographic layers and a series of intermediate computers to hide the IP address of a website.
With an IP address , the forces of order can see where a website is located, which part of the Internet is active and who is hosting company or ISP is. With this information they have a reasonable chance to identify who owns a site or close it. Without an IP address, a website is not associated with the real world and could be literally everywhere .
So all the hopes lost? Not exactly.
Tor, the technology used to make the web "dark" is a sophisticated and capable software, but it's not a cloak of invisibility and the owners of Dark Web websites are arrested fairly regularly.
all the commotion in the media would be forgiven for believing that the Dark Web was huge, but it is not, it's incredibly small. While the regular Web has hundreds of millions of active websites, the dark web has thousands of them.
Size is important because the smaller a network is, the easier it is to scan and monitor and the Dark Web scans have shown something very interesting – it's much more centralized and interconnected than you would expect.
The size of the network also has an impact on one of the darkest deanonymization tactics that may be available to a police or intelligence agency with skilled hackers and a large budget: traffic correlation attacks.
Traffic correlation attacks attempt to match traffic entering the Tor network with the traffic that leaves it. Such attacks are difficult to implement but are a potential long-standing weakness and are said to have been used in the 2014 Dark Web multinational crackdown, Operation Onymous.
Tor is very good at hiding your IP address but, while it's important, there's more to stay anonymous than that, and most of the time it looks like the Dark Webers who get caught are ruined from human error. Whether it's an undercover cop, who trusts the wrong person, forgets to take the necessary precautions or simply does not know what they are, there are many ways to do it.
In order to amass their criminal casket, the SamSam crew has made many enemies
If and when they slip, a lot of eyes will be watching.
You can read more about the history of SamSam, how it works and how to protect it in the vast world of Sophos's new research paper, SamSam: The (Almost) Six Million Dollar Ransomware .
The investigation is underway – if you have information about SamSam or you are a security provider interested in collaborating with our survey, please contact Sophos.