Threat Response: SamSam Ransomware

04-12-2018

Over the last few days, a lot of information regarding the SamSam ransomware attacks has made the news. This ransomware attack has made a lot of victims over the last couple of months. In this message, we want to inform you about the threats and the possible mitigations regarding the SamSam ransomware attacks.

Description

SamSam ransomware is a financially motivated attack, that has been active since the end of 2015. A well known attack was performed against the city of Atlanta earlier this year. Previous ransomware attacks had the intent to make as much victims as possible, and were mostly performed automatically using known exploits. However, the Samsam ransomware has a different approach, because it specifically targets its victims. Attackers actively search for gaps in the security of networks, after which they themselves continue to search for relevant machines and data at the victim. For example, they will look for backups saved on online machines, and delete these to make sure the victim cannot restore machines. Furthermore, they enumerate all files for encryption, instead of looking at the file extension and filtering the relevant files.

The attackers mostly exploit well known vulnerabilities. The common attack vector is by abusing access to (Windows) servers, for example using the Remote Desktop Protocol (RDP) or by attacking outdated Java-based webservers. Besides, brute force attacks or stolen credentials are sometimes used to gain access to a network. An example can be logging in to an FTP server using a default password.

When the attacker has gained access to a machine, they can continue to infect it with malware. After that, they will search for other targets without user interference.

Risk

When all machines in a network are running up to date software, and critical services are located behind a correctly set-up firewall, the risk of infection is low. However, when internet-facing machines that are remotely accessible are running vulnerable services, the risk of infection is increased. The risk is primarily based on the attack surface, which is defined by the access possibilities available to the attacker.

Mitigation

The risks accompanying SamSam ransomware can be mitigated using standard security measures (“best practices”), like:

  • Turn off RDP on any publicly available, internet-facing, machine. If this is really not possible, only make the service reachable using for example a VPN connection
  • Make sure to update all software to the most recent version
  • Do not use default passwords on any machine (FTP, routers, etc.)
  • Turn on two-factor authentication if possible
  • Save backup copies on offline machines

What will Northwave do?

The currently known Indicators of Compromise (IOCs) for SamSam ransomware are contained within the Northwave Detection Platform. If new IOCs arise, they will be added to the current set.

If you need additional information you can call us by phone or send us an email.

Phone number: 030-3031244 (during business hours)
E-mail: soc@northwave.nl

Sources

[1] https://www.us-cert.gov/ncas/alerts/AA18-337A

[2] https://news.sophos.com/en-us/2018/11/29/how-a-samsam-like-attack-happens-and-what-you-can-do-about-it/

[3] https://www.csoonline.com/article/3263693/security/samsam-ransomware-attacks-have-earned-nearly-850-000.html

[4] https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.

Een vraag? Vraag het ons!

1 + 6 = ?

This contact form is deactivated because you refused to accept Google reCaptcha service which is necessary to validate any messages sent by the form.