SamSam is a ransomware which encrypts all the files of victim machine and drops a text file including the message to pay a ransom to decrypt the files. SamSam is not new.

It first appeared in early 2016, but frequently draws the security community’s attention. Its developers make great efforts to cover their tracks.

Systems Affected

SamSam targets multiple industries, including some within critical infrastructure.

Threat Level

High

 

Description

The attacker exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. Attackers use Remote Desktop Protocol (RDP) to gain access to victims’ networks either using brute force attacks or stolen login credentials.

After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file. Once it gains access to victim machine, it encrypts all files and leaves ransom notes on encrypted computers. These instructions direct victims to establish contact through a Tor hidden service site. After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network.

Solution/ Workarounds

  • Disable the RDP service if not in use, if required it should be patched, placed behind the firewall and proper policies should be followed by the users of RDP.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Enforce policies to strong password creations and account lockout to defend against brute force attacks.
  • Apply two-factor authentication, where possible.
  • Regularly apply system and software updates.
  • Maintain a good back-up strategy. Perform regular backups of all critical information. Backups should be stored offline on separate devices.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Restrict users' ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).

References

https://www.cert-in.org.in/

https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf

https://www.us-cert.gov/ncas/alerts/AA18-337A

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Rate this item
(0 votes)

Leave a comment

Please do not enter any marketing or illegal statements | කරුණාකර අලෙවිකරණ හෝ නීති විරෝධී ප්‍රකාශන ඇතුළත් නොකරන්න.

Join Our YouTube Channel

පරිගණක විද්‍යාව ගැන, හැකින් ගැන, මනෝවිද්‍යාත්මක කරුණු වගේම මුල්‍ය ශාක්ෂරතාවය පිළිබඳ වීඩියෝ පාඩම් සිංහලෙන්ම ඉගෙන ගන්න ඔබත් අදම මේ දැන්ම මගේ YouTube නාලිකාවත් සමඟ එකතු වෙන්න. එන්න පහත ලින්ක් එකට ගිහින් Subscribe කරන්න.
Link: https://www.youtube.com/c/KDKTECICTProfessionalsInSriLanka 

Articles Archive

Articles Calendar

« May 2019 »
Mon Tue Wed Thu Fri Sat Sun
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    
002390006
Today
Yesterday
This Week
Last Week
This Month
Last Month
All days
3444
4501
11844
1840930
97310
132047
2390006
Your IP: 54.157.61.68
2019-05-21 22:37

Video Of The Day

Subscribe to PC WORLD Magazine

Joomla forms builder by JoomlaShine
Go to top