Targeted Ransomware on the Rise: SamSam Nets $6.5m

The Sophos Labs 2019 Threat Report discusses a rise in targeted ransomware. The SamSam ransomware campaign for example was estimated to have earned more than $6.5 million. This has led to a preference for this vector of attack.

In these attacks, cybercriminals target weak entry points and brute-force Remote Desktop Protocol (RDP) passwords. Once in, they move laterally, working one step at a time to steal domain admin credentials,manipulate internal controls, disable back-ups and more. By the time most IT managers notice what is happening, the damage is done.

Get NordVPN

“Many organizations are set up to protect against automatic bots, but not interactive, human-driven attacks. If active adversaries get into a system they can ‘think laterally’ to troubleshoot roadblocks, evade detection and move around. It is hard to stop them unless the right security measures are in place,” said Dan Schiappa, SVP and GM of products at Sophos.

Similar cybercat-burglar-like attacks, such as BitPaymer, Dharma and Ryuk, use a similar lateral movement playbook to hand deliver ransomware. These attacks are very different from Ransomware-as-a-Service (RaaS) toolkits sold on the dark web. Sophos expects manual control attacks to continue into 2019.

SamSam Ransomware

“Stopping lateral movements – from active adversaries or worm-type exploits – by sharing intelligence between the firewall and endpoints, and automatically isolating infected systems is critical for every organisation today,” said Schiappa. “Unfortunately,many business environments could have blind spots on their network switches or LAN segments, and these can become secret launch pads for attacks. The new features in Sophos XG Firewall prevents threats from spreading, even where the firewall does not have direct control over traffic.”

Lateral Movement Protection is enabled through synchronised security

Sophos is now including lateral movement protection in its Sophos XF FIrewall, The aim of this is to prevent targeted, manual cyberattacks or exploits from infiltrating further into a compromised network.

The Sophos XG Firewall automatically interacts with Sophos’ endpoint products, including its new Intercept X Advanced with Endpoint Detection and Response (EDR), to deliver this new layer of protection. These essential security anchors connect via the Security Heartbeat in Sophos’ Synchronised Security technology.This creates an intelligent solution that can proactively predict and protect against threats, detect and prevent further infection by automatically isolating machines, and remediate the infection. Security Heartbeat technology enables the automatic isolation of high-risk endpoints from other endpoints on the same broadcast domain or network segment.

New and enhanced features in Sophos XG Firewall include:

  • Protection Enhancements
  • Deeper, broader IPS coverage with increased granularity in patterns
  • JavaScript cryptojacking protection
  • Sandstorm Sandboxing Enhancements
    • Intercept X integration to identify zero-day threats before they enter the network
    • Deep behavioural, network and memory analysis with machine learning, CryptoGuard, and exploit detection
  • Networking Enhancements
    • New Sophos Connect IPSec VPN client with support for Synchronised Security
  • EducationFeatures
    • Chromebook client authentication support for user-based policy and reporting
    • User/group policy support for SafeSearch and YouTube restrictions