“SamSam” ransomware – a mean old dog with a nasty new trick

library
crime | hacking | security

One cybersecurity catchphrase you’ll hear these days is that “X is the new ransomware”.

That’s because the ransomware scene is no longer clearly dominated by long-running, well-known “brand names” (so to speak) such as CryptoLocker, TeslaCrypt or Locky.

In other words, many people are convinced that ransomware has had its day, is dying out, and new threats are taking over.

A popular value for the variable X in in the equation above is cryptojacking, where crooks sneakily insinuate cryptocurrency mining software onto your computer or into your browser.

Rather than snatching away your files, like ransomware does, cryptojackers steal your processing power and your electricity instead.

This means that the crooks earn a tiny bit of money from every victim for as long as they’re infected, rather that taking the all or nothing approach of ransomare, where victims face a stark choice: pay and win, or refuse and lose.

The thing is, neither cryptojacking, nor indeed any other cyberthreat, is the “new ransomware”.

If you must know, RANSOMWARE is the new ransomware.

As often happens in the world of cybercrime, old threats stay with us for ages, and new threats simply add themselves to the mix rather than taking over. (Do you seriously think that we’ll ever see the end of spam, for example?)

This year, we’ve seen a carefully orchestrated ransomware campaign known as SamSam, where the crooks have settled on a new mode of operation.

Instead of blasting out one copy of the malware out to thouands of potential victims over a day or two, the crooks blast thousads of copies of the malware onto computers inside a single organisation, pretty much all at once…

…and then, almost casually, offering a “volume discount” to fix the entire company in one fell swoop.

SophosLabs just published an intriguing technical paper about the SamSam menace, and in the sample discussed in the paper, the malware includes a BAT file that lets the crooks set their price point for each attack:

    @echo off
    SET runner=mswinupdate.exe
    SET password=%1
    SET path=xxxxxxxxxx
    SET totalprice=5
    SET priceperhost=0.8

The prices above are denominated in BTC (Bitcoin), and they seem to be adjusted each time so that the all-you-can-eat discount price works out at about $45,000.

At BTC0.80 per PC, but “just” BTC5.00 to decrypt your whole company, it’s almost as though the criminals are doing you a favour!

We don’t know why the price is $45,000. For all we know, that number was picked because it’s below certain reporting threholds, or because the crooks want to pick the highest value they dare without getting into corporate board-level approval territory. All we can say is that $45,000 is a lot of money.

Learn more about this new trend in ransomware by reading the paper now. (No registration required.)

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/r5mVMuPqxaM/

Comments are closed.