How Bitcoin and the Dark Web hide SamSam in plain sight

For two and a half years someone has been terrorising organisations by breaking in to their networks and infecting their computers with devastating, file-encrypting malware known as SamSam.

The attacks are regular, but rarer and more sophisticated than typical ransomware attacks, and the perpetrators extort eye-watering, five-figure ransoms to undo the damage they create.

This year alone, victims have included healthcare provider Allscripts, Adams Memorial Hospital, the City of Atlanta, the Colorado Department of Transportation and the Mississippi Valley State University.

By extracting high ransoms from a small number of victims who are reluctant to share news of their misfortune, the SamSam attackers have remained elusive while amassing an estimated fortune in excess of $6 million. Details about the attacks, the victims, the methods used and the nature of the malware itself have been hard to come by.

And yet, for all the mystery, some important aspects of SamSam attacks take place in plain sight.

One of the ways the man, woman or group behind SamSam gains entry to their targets is via RDP (the Remote Desktop Protocol), a technology that companies put in place so their employees can connect remotely. It’s easy to discover companies that use RDP with search engines like Shodan, and weak passwords can be exposed with publicly-available underground tools like nlbrute.

SamSam ransom notes direct victims to a Dark Web website where the victim can exchange messages with the hacker. The website and the conversation are discreet but they aren’t secret – anyone with the Tor Browser can visit the site and watch the conversation unfold.

The ransom note also instructs victims on how to purchase bitcoins, and how to use them to pay their attacker. Like all Bitcoin transactions, the ransom payments happen in plain sight and the inflows and outflows of cash can be easily observed.

So how is it that SamSam and other cybercriminals can operate out in the open, talking to victims on public websites and exchanging money in plain sight, and yet evade capture, and is there anything that can be done about it?

Bitcoin

SamSam demands ransoms be paid in Bitcoin, the world’s favourite cryptocurrency.

The trust that people have in Bitcoin comes from its reliability, which stems from the way it stores data in public, in a database called a blockchain. Anyone can own a copy of Bitcoin’s blockchain, for free, and anyone can view the transactions stored inside it using software, or websites like blockchain.com.

On the Bitcoin blockchain, users are represented by one or more addresses – strings of letters and numbers between 26 and 35 characters long. Observers can see how much money has been sent from one address to another and when, but the Bitcoin blockchain has no record of who owns what address, or how many addresses they own.

SamSam has used Bitcoin since the malware first appeared. In the beginning, the addresses the ransoms were paid to changed regularly but, as time has passed, they’ve changed much less frequently.

There are limits to what a pocketful of bitcoins will get you though, and sooner or later they have to be traded for something such as cash, or goods and services, and that can create a link between a pseudonymous Bitcoin address and a real person. Online currency exchanges may want an ID or record an IP address, for example, and goods bought online have to be delivered to an address.

Any such link is of course of enormous interest to law enforcement.

SamSam shows an awareness of these risks by using so-called tumblers (a form of Bitcoin money laundering), and in the advice the ransom notes offers to victims about how to purchase bitcoins anonymously:

We advice you to buy Bitcoin with Cash Deposit or WesternUnion from https://localbitcoins.com or https://coincafe.com/buybitcoinswestern.php because they don't need any verification and send your Bitcoin quickly.

Bitcoin’s transparency is its strength but it is also, increasingly, a weakness. Bitcoin’s blockchain is the very definition of “Big Data” and as any regular reader of Naked Security will tell you, large collections of anonymous data are often far more than the sum of their parts.

For its investigation into SamSam, Sophos partnered with Neutrino, a company that specialises in crunching the numbers in the Big Data that cryptocurrencies create. Neutrino was able to validate suspected SamSam transactions and identify many more SamSam payments than were previously known, leading Sophos to new victims and new insights about how attacks unfold.

As a result of Neutrino’s digging, Sophos has been able to revise the previous best guess of how much money SamSam has made – moving the estimated total up from around $1 million to just over $6 million. Neutrino has also been able to use information gathered from previously unknown victims discovered through blockchain transactions to improve the protection against ransomware it provides.

And there’s every reason to expect more insight will be possible in future. Historical transactions are entombed in the Bitcoin blockchain forever, at the mercy of researchers and unaffected by upgrades or improvements in cybercriminals’ operational security.

As an example of how far that Big Data analysis can go, researchers recently succeeded in stripping away key privacy protections from Monero, a blockchain-based cryptocurrency that’s designed to offer more anonymity than Bitcoin.

Dark Web

It’s one thing to watch the money flowing from victim to attacker in broad daylight, quite another to watch them actually talking.

SamSam victims are directed by their ransom notes to websites where they can ask for the software needed to decrypt their computers. In addition to decrypting all of their computers for the full, five-figure ransom, victims are also offered a number of alternatives:

1. Any two files can be decrypted for free, to prove the decryption works.
2. Any one computer can be decrypted if the attacker deems it unimportant.
3. One computer can be decrypted for 0.8 BTC (as of June 2018).
4. Half the computers can be decrypted for half the ransom.

The SamSam gang and its victims can navigate these options, and even resolve technical issues with the decryption process, by leaving messages for each other on the website.

In the beginning, SamSam used the web’s equivalent of “burner” phones – single use websites on anonyme.com or wordpress.com. Within a few months, though, the malware had moved to the relative safety of a website running on a hidden service on the Tor network, or, as its colloquially known, the Dark Web.

Victims are told to pay the ransom, install the Tor Browser (a modified version of Firefox that allows them to navigate to hidden services), and then visit the website and ask for the decryption software.

With the Tor browser installed, visiting the SamSam website is no different from visiting any other site aside from its peculiar looking hidden service address – a 16 character string of letters and numbers ending in .onion.

What makes the Dark Web dark, and so useful to cybercriminals, is that it uses layers of encryption and a series of intermediary computers to hide a website’s IP address.

With an IP address, law enforcement can see where in the world a website is located, which part of the internet it’s on and who the hosting company or ISP is. With that information they stand a reasonable chance of identifying who owns a site, or of shutting it down. Without an IP address, a website is unmoored from the real world and could be literally anywhere.

So is all hope lost? Not quite.

Tor, the technology used to make the web go “dark” is sophisticated and capable software, but it isn’t a cloak of invisibility and the owners of Dark Web websites are arrested fairly regularly.

For all the fuss made of it in the media you’d be forgiven for believing that the Dark Web is enormous, but it’s not, it’s vanishingly small. While the regular web has hundreds of millions of active websites, the Dark Web has thousands.

Size is important because the smaller a network is, the easier to scan and monitor it is, and scans of the Dark Web have shown something very interesting – it is far more centralised and interconnected than you’d expect.

The size of the network also has a bearing on one of the more shadowy deanonymisation tactics that might be available to a law enforcement or intelligence agency with skilled hackers and a big budget: traffic correlation attacks.

Traffic correlation attacks attempt to match the traffic entering the Tor network with the traffic leaving it. Such attacks are hard to carry out but are a long-acknowledged potential weakness and are rumoured to have been used in 2014’s multi-national Dark Web crackdown, Operation Onymous.

Tor is very good at hiding your IP address but, while it’s important, there is more to staying anonymous online than that, and more often than not it seems that the Dark Web’s inhabitants that get busted are undone by human error. Whether it’s talking to an undercover cop, trusting the wrong person, forgetting to take the necessary precautions or simply not knowing what they are, there are a lot of ways to slip up.

In amassing their criminal treasure chest, the SamSam crew has made a lot of enemies.

If and when they slip up, a lot of eyes will be watching.

You can read more about the history of SamSam, how it works and how to protect against it in Sophos’s extensive new research paper, SamSam: The (Almost) Six Million Dollar Ransomware.

The investigation is ongoing – if you have information about SamSam or you are a security vendor interested in collaborating with our investigation, please contact Sophos.