March 22, 2018 is a date many city workers and citizens of Atlanta, Georgia, won’t be forgetting anytime soon. On that day ransomware shut down numerous city services and government offices. The culprit was a ransomware variant known as SamSam.
But this wasn’t the first time that SamSam had struck. In February, it forced the Colorado Department of Transportation to shut down 2,000 computers. In January, SamSam attacked city services in Farmington, New Mexico, and in Indiana it affected the healthcare systems at Adams Memorial Hospital and Hancock Health.
The cybercriminals behind the SamSam attacks aren’t just targeting government offices. In January 2018 they successfully hit an unnamed industrial control systems (ICS) company.
Security experts believe the SamSam attacks will continue, because they’re generating some serious cash. Hancock Health paid $55,000 (USD) to get its files and systems back, and it wasn’t the only one to do so. A Bitcoin account these hackers set up to accept ransom payments had a balance of more than $325,000 for the month of January 2018.
So how does SamSam work so well? We want to arm you with this knowledge, then you can better defend your business and not become the next victim.
SamSam is different to most Ransomware
Ordinarily cybercriminals will send out phishing emails designed to lure recipients into clicking a link or opening an attachment. If the recipients fall for this, their computers will likely become infected with ransomware.
But SamSam is different. The cybercriminals use a business’s servers to spread this Ransomware.
Typically done by exploiting the following:
- Unpatched software.Hackers scan servers connected to the Internet, looking for unpatched servers. When they find one, they exploit vulnerabilities to access the machine. In the very first SamSam attacks of 2016, a known vulnerability in servers running Red Hat’s JBoss software was exploited and used.
- Exposed connections.Cybercriminals scan the Internet looking for exposed server connections. In a series of SamSam attacks back in 2017, hackers exploited servers with exposed Remote Desktop Protocol (RDP) connections.
- Weak or stolen credentials.Hackers crack weak passwords or use compromised credentials to break into public-facing servers. That’s how they gained access to Hancock Health’s servers by using credentials they’d stolen from one of its vendors.
Once SamSam has been installed on a server, it doesn’t immediately start encrypting files. Instead, it infiltrates and installs itself on computers the network. It’s self-spreading ransomware. Cybercriminals can then run batch scripts to execute the encryption code, and hold the business to ransom.
Avoid becoming a victim
Awareness is the best defence. But so is a good offense. Here’s a short list of handy precautions that can go a long way to preventing an infection:
- Keep all your operating systems up-to-date, on servers and workstations. Hackers like to take advantage of unpatched computers. Do not give a hacker the chance to exploit a known security vulnerability.
- Secure your RDP connections from being exploited by cybercriminals who want to access business servers. Deploy an RDP gateway or limit the number of users who can log in.
- Use strong passwords for all service and software accounts, making them harder for hackers to crack. Consider two-factor authentication. Implement an account lockout policy to thwart brute force password-cracking attacks.
- Use up-to-date security software to help guard against known ransomware attacks and other kinds of malware threats.
- Regularly back up files and systems, and ensure these backups can be successfully restored. This won’t prevent a SamSam attack but it might save you having to pay a ransom if one occurs.
We can analyse your IT environment and make specific recommendations on how to protect your business against SamSam and other types of ransomware. Together, we can develop a comprehensive plan that will help keep your business from becoming the next ransomware victim.