Custom Tailor Hackers

Hacking Gang likes your Old Password

IT departments must be doing a better job, because hackers are starting to work harder. Jerry Bell and Andrew Kalat provide a thoughtful summary of the SamSam and FIN7 attacks and specific techniques to defend against them in Defensive Security Podcast Episode 224.  SamSam uses a tailored attack before they launch their Ransomware and FIN7 adds phone calls to legitimize their email phishing. Although the different malware gangs still tend to specialize in their approach, how long before they begin to attack in layers against those with only basic security set-ups? For now, defend against the current attacks (summarized details below), but layer your defenses in-depth in preparation for the next stages of malware evolution that are surely coming.

SamSam is a ransomware that famously held the City of Atlanta hostage for $55,000. While Atlanta did not pay, Danny Palmer of ZDNet analyzed Sophos research that estimates that the malware gang behind the attacks receives an estimated $300,000 per month from up to 10 victims (enterprise, government and healthcare) that elect to pay. SamSam begins as an remote desktop protocol (RDP) compromise that attempts to use brute force or stolen credentials to obtain access to the company network. Once inside, the hackers attempt to promote credentials to administrative access levels and seek out vulnerabilities to exploit inside the network. To provide victims with the highest motivation to pay, the hackers will often actively search for and delete backups stored on the network prior to unleashing the SamSam ransomware attack.  This is a highly tailored attack, but it depends upon RDP users continuing to use old or weak passwords!

The FIN7 gang takes a different, but equally tailored, approach to their attack. It is common knowledge to not open unsolicited attachments from strangers, but there are certain types of employees whose jobs specifically depend upon opening attachments from strangers. The human resources department must open resumes and sales reps need to open orders. As detailed by Mathew Schwartz in DataBreachToday (with screen captures of actual emails), the FIN7 gang would target companies likely to conduct a large number of credit card transactions, research the company to find public-facing or identifiable employees (from LinkedIn, company websites, etc.) likely to open an attachment and then follow up the emailed malware with a phone call! The phone call legitimized the phishing email and greatly improved the chance the file was opened. Once the malware was launched, FIN7 carefully executed a multi-step process to locate and steal the caches of payment card numbers. Law enforcement officials estimate the gang obtained and sold 15 million payment cards obtained from more than 150 companies, which in turn led to over $1 billion in fraud. High-profile victims included Arby’s, Lord & Taylor and Whole Foods Markets.

It all comes down to layers, layers, layers!

Malware gangs, for the most part, have not been forced to advance the sophistication of their attacks because there are enough victims to be had at their current level of effort.  But as CIOs and CISOs continue to advance their capabilities, so will the malware gangs. As FIN7 demonstrates, malware gangs are already beginning to use layers of attack methods (as nation-states already do) to defeat layers of defense.  Don’t be the low-hanging fruit for the exploit!

Within the above articles, a variety of countermeasures s are suggested from the ‘absolutely critical’ to the ’if the budget will allow’ level of practicality:

Absolutely critical (and not particularly expensive):

Nice to have (expenses vary depending upon the vendor, the number of users, sophistication, etc.):

    • Use multi-factor authentication (certificates, apps, etc.)
      Conduct anti-phishing training
      Create backups and maintain them offline and offsite

If the budget will allow:

  • Block phishing domains
    Monitor network traffic
    Sandbox key users who must open attachments (browser isolation, virtual machines, etc.)

Soliton’s products provide and support a rich variety of multi-factor authentication ranging from SecureShield’s support for Duo’s 2-factor authentication to certificates issued by the NetAttest EPS.  For information about Soliton products, please visit:

SecureShield data sheet
SecureShield video
NetAttest EPS product flyer

Palmer, D., ZDNet, This destructive ransomware has made crooks $6m by encrypting data and backups
Schwartz, M. J., DataBreachToday, The Art of the Steal: FIN7’s Highly Effective Phishing
Password Problems 1: Ghosts of Breaches Past
Password Problems 2: Cracking Internal Passwords)