Monday, 03 December 2018 07:00

SamSam ransomware campaign - statement by FireEye

Written by Kimberly Goody

By Kimberly Goody, manager, cyber crime analysis at FireEye


“FireEye has tracked SamSam activity dating back to late 2015, impacting organizations across multiple industry verticals. Notably, the indictment highlights numerous healthcare and government organizations that have been targeted. It is possible that the operators chose to target these organizations since they provide critical services and believed their likelihood of paying was higher as a result.

One of the starkest deviations between SamSam operations and traditional ransomware is the departure from more traditional infection vectors. While indiscriminate targeting is still heavily relied on by other actors likely to bolster operational scalability, there has been an increasing number of threat actors actively engaged in, more "targeted" attacks in which ransomware is deployed post-compromise. In our SamSam investigations, we observed activity consistent with that noted in the indictment including the exploitation of external servers as well as updates to their initial infection vectors over time. Deploying ransomware post-compromise also allows attackers the ability to better understand victim environments and to both deploy ransomware payloads more broadly and to identified high value systems – putting additional pressure on organizations to pay.

It is also important to note that while the actors named in the indictment are associated with the SamSam ransomware, this may just be their most lucrative operation. We have some evidence to suggest that they were investigating the possibility of stealing payment card data, and we have also seen the deployment of cryptocurrency miners in victim environments.

The impact that these indictments will have is unclear since the individuals are purportedly located in Iran and remain at large. “