Unfortunately, ransomware has become the cherry on top of the pie of corporate compromises, usually a sign that compromise, lateral movement and exfiltration have already happened in many cases. The malicious actors simply wait for the ransom payment, which in many cases does not bring back the entirety of data and the exfiltrated data would likely be bargained or sold in some dark market.
In many campaigns, the massive spread of ransomware across organizations has been ‘lucky’ in the sense that many times the actors are unaware of the size of the organization that have been compromised.
That is not the case in those that have been targeted with SamSam ransomware, as their modus operandi shows previous footprinting and extensive use of post-exploitation tools, reconnaissance, and exfil of potentially valuable data within compromised organizations before dropping ransomware payload.
Recent reports by security companies also reveal that unnamed actors behind the ransomware are now specifically targeting healthcare, finance, education and government verticals. SamSam actors recognize that these vertical markets hold very valuable information and these institutions can be literally paralyzed with an effective ransomware attack, specially if the targeted computers have protected information (e.g., PII, PHI, or PCI). This will drive targeted organizations to consider paying ransom.
In our newest threat advisory, we explore the process of exploitation, compromise, lateral movement and infestation of SamSam, as well as detection and mitigation of such threat, access it here.