How Bitcoin and the Dark Web hide SamSam in plain sight
For two and a half years someone has been terrorising organisations by breaking in to their networks and infecting their computers with devastating, file-encrypting malware known as SamSam.
The attacks are regular, but rarer and more sophisticated than typical ransomware attacks, and the perpetrators extort eye-watering, five-figure ransoms to undo the damage they create.
This year alone, victims have included healthcare provider Allscripts, Adams Memorial Hospital, the City of Atlanta, the Colorado Department of Transportation and the Mississippi Valley State University.
By extracting high ransoms from a small number of victims who are reluctant to share news of their misfortune, the SamSam attackers have remained elusive while amassing an estimated fortune in excess of $6 million. Details about the attacks, the victims, the methods used and the nature of the malware itself have been hard to come by.
And yet, for all the mystery, some important aspects of SamSam attacks take place in plain sight.
One of the ways the man, woman or group behind SamSam (for convenience I’ll call them “Sam” from now on) gains entry to their targets is via RDP (the Remote Desktop Protocol), a technology that companies put in place so their employees can connect remotely. It’s easy to discover companies that use RDP with search engines like Shodan, and weak passwords can be exposed with publicly-available underground tools like nlbrute.
SamSam ransom notes direct victims to a Dark Web website where the victim can exchange messages with the hacker. The website and the conversation are discreet but they aren’t secret – anyone with the Tor Browser can visit the site and watch the conversation unfold.
The ransom note also instructs victims on how to purchase bitcoins, and how to use them to pay their attacker. Like all Bitcoin transactions, the ransom payments happen in plain sight and the inflows and outflows of cash can be easily observed.
So how is it that Sam and other cybercriminals can operate out in the open, talking to victims on public websites and exchanging money in plain sight, and yet evade capture, and is there anything that can be done about it?
Sam demands ransoms be paid in Bitcoin, the world’s favourite cryptocurrency.
The trust that people have in Bitcoin comes from its reliability, which stems from the way it stores data in public, in a database called a blockchain. Anyone can own a copy of Bitcoin’s blockchain, for free, and anyone can view the transactions stored inside it using software, or websites like blockchain.com.
On the Bitcoin blockchain, users are represented by one or more addresses – strings of letters and numbers between 26 and 35 characters long. Observers can see how much money has been sent from one address to another and when, but the Bitcoin blockchain has no record of who owns what address, or how many addresses they own.
Sam has used Bitcoin since SamSam first appeared. In the beginning, the addresses the ransoms were paid to changed regularly but as time has passed, perhaps reflecting Sam’s increasing confidence, they’ve changed less and less.
There are limits to what a pocketful of bitcoins will get you though, and sooner or later they have to be traded for something such as cash, or goods and services, and that can create a link between a pseudonymous Bitcoin address and a real person. Online currency exchanges may want an ID or record an IP address, for example, and goods bought online have to be delivered to an address.
Any such link is of course of enormous interest to law enforcement.
Sam shows an awareness of these risks by using so-called tumblers (a form of Bitcoin money laundering), and in the advice the ransom notes offers to victims about how to purchase bitcoins anonymously:
We advice you to buy Bitcoin with Cash Deposit or WesternUnion from https://localbitcoins.com or https://coincafe.com/buybitcoinswestern.php because they don't need any verification and send your Bitcoin quickly.
Bitcoin’s transparency is its strength but it is also, increasingly, a weakness. Bitcoin’s blockchain is the very definition of “Big Data” and as any regular reader of Naked Security will tell you, large collections of anonymous data are often far more than the sum of their parts.
For its investigation into SamSam, Sophos partnered with Neutrino, a company that specialises in crunching the numbers in the Big Data that cryptocurrencies create. Using its proprietary tech, Neutrino was able to validate suspected SamSam transactions and identify many more SamSam payments than were previously known, leading Sophos to new victims and new insights about how SamSam attacks unfold.
As a result of Neutrino’s digging, Sophos has been able to revise the previous best guess of how much money Sam has made from around $1 million to just over $6 million. It has also been able to use information gathered from previously unknown victims discovered through blockchain transactions to improve the protection against ransomware it provides.
And there’s every reason to expect more insight will be possible in future. Historical transactions are entombed in the Bitcoin blockchain forever, at the mercy of researchers and unaffected by upgrades or improvements in cybercriminals’ operational security.
As an example of how far that Big Data analysis can go, researchers recently succeeded in stripping away key privacy protections from Monero, a blockchain-based cryptocurrency that’s designed to offer more anonymity than Bitcoin.