Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

SamSam Ransomware

 

Systems Affected


SamSam targets multiple industries, including some within critical infrastructure.

Threat Level


High


Overview


SamSam is a ransomware which encrypts all the files of victim machine and drops a text file including the message to pay a ransom to decrypt the files. SamSam is not new. It first appeared in early 2016, but frequently draws the security community's attention. Its developers make great efforts to cover their tracks.


Description


The attacker exploit Windows servers to gain persistent access to a victim's network and infect all reachable hosts. Attackers use Remote Desktop Protocol (RDP) to gain access to victim's networks either using brute force attacks or stolen login credentials.

After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file. Once it gains access to victim machine, it encrypts all files and leaves ransom notes on encrypted computers. These instructions direct victims to establish contact through a Tor hidden service site. After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network.


Impact



Solution/ Workarounds


Disable the RDP service if not in use, if required it should be patched, placed behind the firewall and proper policies should be followed by the users of RDP.
Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs.
Ensure that third parties that require RDP access follow internal policies on remote access.
Enforce policies to strong password creations and account lockout to defend against brute force attacks.
Apply two-factor authentication, where possible.
Regularly apply system and software updates.
Maintain a good back-up strategy. Perform regular backups of all critical information. Backups should be stored offline on separate devices.
Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
Restrict users' ability (permissions) to install and run unwanted software applications.
Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).


References


https://www.cert-in.org.in/

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf

https://www.us-cert.gov/ncas/alerts/AA18-337A


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.