Samsam Ransomware – Attack Strategy & Preventive Measures

In 2018 there has been a sudden increase in Samsam ransomware attacks. The virus first made an appearance targeting vulnerabilities in JBoss, hitting organizations in the education and healthcare sectors. Later it targeted single-factor external access such as RDP or VPN, as well as vulnerable FTP platforms, and Microsoft’s IIS.

The most Recent victim, The City of Atlanta, has suffered Samsam ransomware attack on 22 March 2018. The city has RDP exposed to the public, as well as VPN gateways, FTP servers, and IIS installations. Most of them have SMBv1 enabled, making the task of spreading the ransomware easier.

Strategy Used in Samsam

In the past, ransomware like CryptoLocker and Peta required someone to open an email attachment or visit a site but Samsam targets vulnerable servers. Those are always up and always potentially vulnerable. The new method of attack is highly effective going undetected and cause maximum damage as used by Samsam. Samsam is not a stock ransomware variant but is instead a customized strain used in targeted attacks. Unlike traditional ransomware samples that rely on credulous users to click on a malware-infected email attachment or visit a booby-trapped website, this new breed of ransomware is installed once attackers have exploited unpatched server vulnerabilities.

SamSam hackers are known to scan the internet for open RDP connections and break into networks leveraging either weak passwords or with brute force attacks on these endpoints.  The goal is to spread to other devices and computers on the network. Once a network has been breached, the ransomware spreads through the local network to infect additional computers. Unlike other ransomware campaigns, there is no need for any user action such as clicking on a certain link or opening a malicious attachment for the infection to take place. The attackers can trigger the ransomware remotely once it has found a vulnerability in the server and penetrated the network.

Samsam already highlighted Q1 2018 by its attacks and ransom collected.

Below organizations suffered the attack

• The municipality of Farmington, NM – 3 January
• Adams memorial hospital – 11 January
• Allscripts Software Company – 18 January
• Davidson country NC – 16 February
• Colorado Department of transportation suffer multiple attacks on 21 February and 1 March
• City of Atlanta – 22 March

As per estimated the Samsam ransomware alone has collected nearly 98.5 BTC. However, because the market is constantly changing, the actual value of the ransoms paid will go up or down.

This is an advancement of ransomware from what we have seen in the course of the most recent year. We have gone from aimless focusing on individuals via email to entire industries targeted via unpatched server vulnerabilities. As Samsam can traverse the network without human intervention the prevention part has become more critical.

What we can do for prevention

• Organizations need to invest in smarter, stronger endpoint security that has the ability to block not just executables, but malicious activity in real-time.
• The Passwords should be strong and should limit the number of attempts allowed by a user to get into a system.
• SamSam can be halted if identified before it gets into a server, yet “once it’s spread: it’s finished.”

• Restrict access to firewalls and by using an RDP Gateway, VPNs.
• Execute an account lockout strategy to help thwart brute force attacks.