The SamSam ransomware that caused serious damage to a California hospital and has infected many other enterprises in the United States is continuing to evolve and add new functionality as its developers look to stay ahead of researchers and defenders.
SamSam is part of the newer wave of ransomware variants that don’t just rely on individual users to infect themselves by opening malicious files or clicking on malicious links. These ransomware strains look to get an initial foothold on a target corporate network, typically through one infection, and then begin to spread internally by stealing user credentials, mapping the network, and then installing itself on other machines across the network. SamSam has been found in a number of corporate networks in the last few months, and some of the infections have been quite pervasive.
“During one incident, SecureWorks analysts found that more than 30% of the organization’s systems were infected with ransomware, including a server hosting the cloud backup application. The client could not properly restore encrypted documents, causing a significant strain on the company and its employees. The threat actors used tactics and techniques popular with dedicated adversaries and infected the systems with the ransomware variant known as Samas (also known as SamSam),” Kevin Strickland of SecureWorks said in an analysis of SamSam’s evolution.
“Within one month, the Samas authors developed two variants.”
The SamSam developers have been modifying the ransomware’s code in recent weeks, and the changes have had the effect of changing the indicators of compromise that researchers use to identify infections. Many of the variants have similar behaviors and leave common traces on infected machines, but Strickland said new versions of SamSam include some key changes, notably a feature that would automatically delete SamSam in some circumstances.
“The most recent Samas variant observed by SecureWorks analysts as of this publication (showmehowto.exe) uses a batch script but forgoes the use of SDelete, leaving the malware on the system. Within one month, the Samas authors developed two variants, and each iteration made past low-level threat indicators obsolete,” Strickland said.
Ransomware infections on corporate networks are in some ways easier to recover from than those on individual users’ machines. Enterprises typically have backups of their data and systems and so they usually can restore any compromised data. That’s not always the case for consumers, who, if they have backups, may have them on attached hard drives that can be encrypted by the ransomware too. However, enterprise ransomware infections also can have severe consequences for victims, as in the case of Hollywood Presbyterian Medical Center. The hospital was hit by SamSam earlier this year and ended up paying the ransom after a good chunk of its corporate network was paralyzed by the ransomware.
The pace of ransomware development and advancement is accelerating, and the changes are making life much more difficult for victims, researchers, and defenders. That trend likely will continue.
“Based on the analyzed Samas samples, the core code of the Samas ransomware has not drastically changed. However, the continued development of the ransomware binaries indicate that the threat actors are persistent and will continue to deliver updated versions to evade detection and continue their campaign,” Strickland said.