Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

SamSam Ransomware

 

Systems Affected


SamSam targets multiple industries, including some within critical infrastructure.

Threat Level


High


Overview


SamSam is a ransomware which encrypts all the files of victim machine and drops a text file including the message to pay a ransom to decrypt the files. SamSam is not new. It first appeared in early 2016, but frequently draws the security community's attention. Its developers make great efforts to cover their tracks.


Description


The attacker exploit Windows servers to gain persistent access to a victim's network and infect all reachable hosts. Attackers use Remote Desktop Protocol (RDP) to gain access to victim's networks either using brute force attacks or stolen login credentials.

After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file. Once it gains access to victim machine, it encrypts all files and leaves ransom notes on encrypted computers. These instructions direct victims to establish contact through a Tor hidden service site. After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network.


Impact



Solution/ Workarounds


  ✻  Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.


References


https://www.cert-in.org.in/

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf

https://www.us-cert.gov/ncas/alerts/AA18-337A


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.