It first appeared in early 2016, but frequently draws the security community’s attention. Its developers make great efforts to cover their tracks.
SamSam targets multiple industries, including some within critical infrastructure.
The attacker exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. Attackers use Remote Desktop Protocol (RDP) to gain access to victims’ networks either using brute force attacks or stolen login credentials.
After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file. Once it gains access to victim machine, it encrypts all files and leaves ransom notes on encrypted computers. These instructions direct victims to establish contact through a Tor hidden service site. After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network.
- Disable the RDP service if not in use, if required it should be patched, placed behind the firewall and proper policies should be followed by the users of RDP.
- Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs.
- Ensure that third parties that require RDP access follow internal policies on remote access.
- Enforce policies to strong password creations and account lockout to defend against brute force attacks.
- Apply two-factor authentication, where possible.
- Regularly apply system and software updates.
- Maintain a good back-up strategy. Perform regular backups of all critical information. Backups should be stored offline on separate devices.
- Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
- Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
- Restrict users' ability (permissions) to install and run unwanted software applications.
- Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
The information provided herein is on "as is" basis, without warranty of any kind.