SamSam Is on the Loose and Headed for a Server Near You

In March 2018, the SamSam ransomware ravaged Atlanta’s computer systems, bringing many city services to a halt. This wasn’t the first time hackers used this ransomware to wreak havoc and it won’t be the last. Learn how SamSam differs from most other ransomware.

Many city workers and citizens in Atlanta, Georgia, won’t soon forget March 22, 2018. On that day ransomware shut down many of the city’s online services and even some government offices. The culprit was a ransomware variant known as SamSam.

This was not the first time SamSam struck in 2018. In February, it forced the Colorado Department of Transportation to shut down 2,000 computers. A month earlier, SamSam stopped city services in Farmington, New Mexico as well as halted healthcare systems at Adams Memorial Hospital and Hancock Health in Indiana.

The cybercriminals behind the SamSam attacks are not just targeting government and healthcare organizations. They are also attacking businesses, including an unnamed industrial control systems (ICS) company in January 2018.

Unfortunately, security experts believe that the SamSam attacks will continue because they are bringing in big bucks. Hancock Health paid $55,000 (USD) to get its files and systems back. And it wasn’t the only organization to give into the hackers’ demands. One Bitcoin account that hackers set up to accept ransom payments had a balance of more than $325,000 in the month of January 2018 alone. Plus, they likely have set up other Bitcoin accounts for that purpose.

Since SamSam is here to stay, it is a good idea to know how this ransomware works. Armed with this knowledge, you can better defend your business so that it does not become the next victim.

How SamSam Differs from Most Ransomware

To spread ransomware, cybercriminals often send out phishing emails. These emails use a convincing pretense to lure recipients into performing an action, such as clicking a link or opening an attachment. If the recipients fall for the ruse, their computers will likely become infected with ransomware.

In contrast, cybercriminals use organizations’ servers to spread SamSam. This is achieved by exploiting:

• Unpatched software. Hackers scan servers connected to the Internet, looking for unpatched servers. When they find one, they exploit the vulnerability to access the machine. For example, in the very first SamSam attacks in 2016, cybercriminals sought and exploited a known vulnerability in servers running Red Hat’s JBoss software.
• Exposed connections. Cybercriminals scan servers connected to the Internet, looking for exposed connections. When they find one, they use it to access the machine. For instance, hackers sought and exploited servers with exposed Remote Desktop Protocol (RDP) connections in a series of SamSam attacks in 2017. (RDP is a remote management tool developed by Microsoft.)
• Weak or stolen credentials. Hackers crack weak passwords or use compromised credentials to break into public-facing servers. For example, cybercriminals used a vendor’s stolen credentials to gain entrance to one of Hancock Health’s servers.

Once the hackers have control of a company’s server, they install SamSam. This ransomware does not immediately start encrypting files, though. Instead, it finds, infiltrates, and installs itself on more computers in the network. In other words, it is self-spreading ransomware. After SamSam has been installed on machines throughout the network, cybercriminals run batch scripts to execute the encryption code in the ransomware and present the victim with a ransom note.

Ways to Avoid Becoming the Next Victim

The best defense against SamSam is a good offense. Taking several precautions can go a long way in preventing an infection:

• Keep all software, including the operating system, up-to-date on each server and workstation in your business. Hackers like to take advantage of unpatched computers. Do not give them that opportunity.
• Secure RDP. While helpful for IT administrators, RDP can be exploited by cybercriminals who want to access businesses’ servers. There are several ways to prevent this, such as deploying an RDP gateway and limiting the number of users who can log in using RDP.
• Use strong passwords for the service and software accounts on your servers. This will make it harder for hackers to crack passwords. Even better, use two-factor authentication when possible and implement an account lockout policy to thwart brute force password-cracking attacks.
• Use security software, even on your servers. It can help guard against known ransomware attacks and other kinds of malware threats.
• Regularly back up files and systems, and make sure the backups can be successfully restored. Although this will not prevent a SamSam attack, you won’t have to pay the ransom if one occurs.

We can analyze your IT environment and make specific recommendations on how to protect your business against SamSam and other types of ransomware. Together, we can develop a comprehensive plan that will help keep your business from becoming the next ransomware victim.