Share this article on:
In late November, the Department of Justice indicted two Iranians over the use of SamSam ransomware, but there is unlikely to be any let up in attacks.
Due to the high risk of continued SamSam ransomware attacks in the United States, the Department of Homeland Security (DHS) and the FBI have issued a fresh alert to critical infrastructure organizations about SamSam ransomware.
To date, there have been more than 200 SamSam ransomware attacks, most of which have been on organizations and businesses in the United States. The threat actors behind SamSam ransomware have received approximately $6 million in ransom payments and the attacks have resulted in more than $30 million in financial losses from computer system downtime.
The main methods of attack have been the use of the JexBoss Exploit Kit on vulnerable systems, and more recently, the use of Remote Desktop Protocol (RDP) to gain persistent access to systems. Access through RDP is achieved through the purchase of stolen credentials or brute force attacks.
Once access is gained, privileges are escalated to gain administrator rights. The threat actors then explore the network and deploy and execute the ransomware on as many devices as possible to maximize the disruption caused. A ransom demand is then placed on the desktop. Ransoms of between $5,000 and $50,000 are usually demanded, depending on the extent of encryption.
The FBI has analyzed the systems of many SamSam ransomware victims and has determined in many cases there has been previous unauthorized network activity unrelated to the SamSam ransomware attacks. This suggests the SamSam ransomware threat actors have purchased stolen credentials that have previously been used by other threat actors.
“Detecting RDP intrusions can be challenging because the malware enters through an approved access point,” explained DHS/FBI in the report, but there are steps that can be taken to make systems more secure.
Summary of DHS/FBI Advice to Improve Network Security
- Audit the network for systems that use Remote Desktop Protocol for communications and disable RDP, if possible
- Close open RDP ports on cloud-based virtual machine instances with public IPs, especially port 3389, unless there is a valid reason for keeping ports open
- Adhere to cloud providers’ best practices for remote access to cloud-based VMs
- Locate all systems with open RDP ports behind firewalls and ensure VPNs are used to access those systems remotely
- Ensure third parties that require RDP access adhere to internal remote access policies
- Enforce the use of strong passwords
- Use multi-factor authentication, where possible
- Ensure software is kept up to date and patches are applied promptly
- Ensure all data are backed up regularly
- Implement logging mechanisms that captured RDP logins and retain logs for 90 days. Review logs regularly for attempted intrusions
- Where possible, disable RDP on critical devices and minimize network exposure for all control system devices
- Regulate and limit external-to-internal RDP connections
- Restrict user permissions, especially related to the use of unauthorized/unwanted software applications
- Use spam filtering technology to scan all email attachments and make sure the attachment extensions match file headers
- Disable file and printer sharing services where possible. If those services are required, use strong Active Directory authentication.
Technical details of four SamSam (MSIL/Samas.A) ransomware variants have been released (Alert: AA18-337A) to help network defenders protect against attacks.