From late December 2017 to mid January 2018, several small and medium businesses found themselves the victims of SamSam ransomware, in attacks propagated by the Gold Lowell cybercrime gang. This campaign has made the group $350,000 richer.   

The Gold Lowell group

Gold Lowell rose to prominence in 2015. Since then, they’ve run periodic ransomware campaigns targeting small and medium businesses across diverse industries—healthcare, IT, transportation, waste management, and business services. Even businesses from the leisure and entertainment industry have recently joined the list. Gold Lowell has proven itself adept at using sophisticated tools and methods to conduct attacks and elude capture. 

Gold Lowell even offers to decrypt any one file for free to ensure its victims that they will get their data back if they pay the ransom. The ransom to decrypt a single machine or an entire network has increased vastly over the years. In January 2016, the group demanded $650 to decrypt a single machine and $4,250 for an entire network. By January 2018, its demands had risen to $9,700 and $41,700 respectively. While this is due in part to the skyrocketing value of Bitcoin, it also seems to imply that the crime group is getting bolder with time; the fact that the ransom is doubled if a victim misses the initial deadline only seems to support that claim.

Method of operation

While most ransomware is delivered through some type of phishing email, Gold Lowell uses opportunistic scan-and-exploit tactics to discover internet-facing systems with known vulnerabilities. Gold Lowell initially attacked JBoss applications and, in 2017, they started targeting Remote Desktop Protocol (RDP) accounts as well. By targeting services and protocols which are typically used by organizations, like JBoss and RDP, Gold Lowell is able to discover and gain entry to business networks. Upon entry, they use several public and custom tools to steal passwords, identify the most critical systems to exploit, and launch ransomware. 

SamSam ransomware

Gold Lowell’s latest attack used a custom version of SamSam ransomware, a known malware variant. Frankly, there isn’t anything unique about SamSam ransomware itself. However, it is quite sophisticated, as it uses a strong encryption method and takes measures to avoid recovery as well as complicate forensic investigations.

SamSam ransomware first encrypts files using a symmetric algorithm known as Rijndael. It then encrypts the Rijndael key using a public RSA 2048 key. The corresponding private RSA 2048 key is then delivered to the victim upon payment of the ransom. Following encryption, the malware wipes all free space on the disk and deletes all online backups to deter recovery attempts. It finally deletes its own binary file, leaving security investigators without a file to analyze. 

Staying safe from Gold Lowell and SamSam

The main way to prevent scan-and-exploit attacks, such as the ones used by Gold Lowell, is to ensure that all internet-facing services, applications, and protocols are patched. You should also store an offline copy of your backups, so that malware which does hit your network can’t detect or delete them. And, of course, always implement measures to detect typical ransomware activity and contain it.

Most importantly, don’t give in to ransom demands—this only gives attackers more power and marks you as a soft target for future attacks. To learn more about ransomware and preventing attacks, be sure to go through the FBI’s recommendations for protecting your network from ransomware.