The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued an alert for SamSam ransomware to describe how hackers armed with SamSam targeted multiple industries.
The U.S. Justice Department has charged two Iranian nationals as the masterminds behind the recent SamSam ransomware attacks. The cyber kidnappers behind SamSam ransomware attacks in Atlanta and Colorado earlier this year have hit nearly 70 organizations in 2018.
A typical SamSam Ransomware attack
- The actors exploit Windows servers to gain access to the network and infect all reachable hosts.
- Cyber actors use the JexBoss Exploit Kit to access vulnerable JBoss applications.
- Cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks.
- The hackers typically use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the
malware enters through an approved access point.
- After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the
server, and run an executable file, without victims’ authorization.
How to defend against SamSam Ransomware Attacks
The federal agencies recommend that organizations take these steps to mitigate the risk of infection.
- Audit network for systems that use RDP for remote communication. Disable the service if not needed or install available patches.
- Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports (esp. 3389), unless there is a valid business reason to keep RDP ports open. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access.
- Enable strong passwords and account lockout policies to defend against brute force attacks.
- Apply two-factor authentication, where possible.
- Apply system and software updates, regularly.
- Maintain a good backup & recover strategy.
- Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
- For cloud-based virtual machines, adhere to the provider’s best practices for remote access.
- Ensure that third parties that require RDP access follow internal policies on remote access.
- Minimize network exposure for all control system devices. Disable RDP on critical devices, if possible.
- Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use VPN.
- Restrict user permissions to install and execute software applications.
- Scan for and remove suspicious email attachments.
- Disable file and printer sharing services. If required, use strong passwords or AD authentication.
Recent data suggest ransomware attacks remain prevalent. The IT providers have reported more than 75 percent of their customers reported ransomware attacks. The Managed Service providers for small-mid size businesses have become targets themselves.