The business fraternity was recently notified by the FBI and the Department of Homeland Security (DHS) of a ransomware called SamSam. The harmful software also goes by the name MSIL/SAMAS in some circles. Many cyber crime perpetrators are using SamSam to work their way into corporate networks across industries in the US.

DHS Report Details

The ransomware attacks were deployed across industries in various sectors and domains, including those with mission critical deliverables. Compromised business systems were mostly within the United States, but many attacks went beyond national frontiers and extended into the global business arena as well.

A network wide failure or malfunction that compromises the organization’s entire IT infrastructure is a lot more commercially viable for cyber criminals than an attack that is limited to individual systems. Corporations that cater to the essential needs of their customers need to restore their operations to a ‘business as usual’ status as quickly as possible. When confronted with such a scenario, enterprises tend to give in and shell out exorbitant amounts of ransom.

Cyber crime perpetrators break into corporate networks through Windows servers and compromise all host systems within reach. This is achieved by:

• Exploiting vulnerabilities in corporate JBoss applications

1. The primary attack vector towards this end is the JexBoss Exploit Kit which has been in use since 2016

• Taking advantage of the Remote Desktop Protocol (RDP) to compromise networks

1. Cybercriminals deploying the ransomware attack can adopt either an aggressive approach to break into networks or alternately, gain access to user login details and sneak in
2. These ransomware attacks can be hard to detect as the malware uses a legitimate access point to infiltrate the network

Once inside, the SamSam ransomware takes advantage of bugs and vulnerabilities to bypass security and gain access to systems and resources. Malwares run executable files on servers without end user authorization. Some SamSam attacks necessitate a functional level of user intervention such as clicking on a suspicious email or opening a malicious website. Nevertheless, SamSam attacks are barely visible to the end user when deployed through RDP intrusions.

RDP login details can be bought from many darknet marketplaces. The moment hackers get their hands on these end user login details, the SamSam ransomware attack can be successfully deployed in a matter of hours. While they were restoring impacted systems, many IT teams even found suspicious network activity that was totally unrelated to the SamSam ransomware attack. Incidents of such network activity indicate that end user login details are being resold on cybercrime black markets for illegal use.

Demands for ransom payments are left on encrypted computers, along with details about how to get in touch with the hackers through a Tor hidden service site. Bitcoin is often the currency of choice for making the ransom payment in exchange for cryptographic keys and tools which can be downloaded from specific links for decrypting corporate networks.

Preventing SamSam Ransomware Attacks

The following are some expert recommendations for fortifying IT systems and eliminating system vulnerabilities that SamSam ransomware users typically look to exploit. Changes to configuration settings must be assessed in advance to avert unnecessary impacts on systems.

• List out business systems that use the remote desktop protocol (RDP) for exchanging information remotely

1. Evaluate if the service is required. If not required, disable or install available patches
2. Organizations must collaborate with third party technology suppliers to ensure that the patches don’t impact system performance

• None of the RDP ports, especially port 3389, on cloud based VMs using public IP addresses must be allowed to receive packets. If there are valid commercial reasons to keep RDP ports open, make sure they are covered behind a firewall and access to the port is established through a VPN
• Enforce a strong password and account lockout policy to guard against aggressive attempts to break into the network
• Use two step verification wherever it can be implemented
• Keep systems and software current through regular updates
• Design an effective plan of action for backup
• Maintain logs, including RDP logins, for at least a three month period that are frequently reviewed to sniff out intrusion attempts
• Never deviate from cloud solution vendors’ recommendations for remote access while deploying virtual machines
• Requests received at the RDP ports from external entities must be subjected to internal remote access policies
• The network exposure for all control system devices must be kept to a minimum. Close RDP ports on high priority systems
• Implement controls for external to internal RDP communication. If unavoidable, use safe options such as VPN. However, VPN invulnerability largely depends on the security capabilities of the connected devices
• Implement controls that limit user permissions for installing and running unnecessary software applications
• Weed out suspicious email attachments. Make sure that the file formats of scanned attachments are genuine, that is, their true file type. The extension should correspond to the file header
• Turn off all file and printer sharing options. If they cannot be avoided, incorporate strong password or active directory verifications

See for yourself how the application works
Witness our cloud based platform’s security capabilities in action
Play around with the software and explore its features
Compare and choose a solution that’s relevant to your organization
Consult our experts and decide on a pricing mechanism

Request a Demo

Disasters