DHS/FBI Issue Fresh Warning About SamSam Ransomware

Dec 12, 2018


In late November, the Division of Justice indicted two Iranians over the use of SamSam ransomware, but there is unlikely to be any slowdown in attacks.

Because of the high risk of constant SamSam ransomware attacks in the United States, the Division of Homeland Security (DHS) and FBI have issued a fresh warning to crucial infrastructure companies regarding SamSam ransomware.

Up to now, there have been over 200 SamSam ransomware attacks, most of which have been on companies and firms in the United States. The threat actors behind SamSam ransomware have received roughly $6 million in ransom payments and the attacks have led to over $30 million in financial losses from computer system stoppage.

The key ways of attack have been the usage of the JexBoss Exploit Kit on weak systems, and more lately, the usage of Remote Desktop Protocol (RDP) to get permanent access to systems. Access via RDP is achieved through the buying of stolen identifications or brute force attacks.

As soon as access is gained, rights are escalated to gain administrator privileges. The threat actors then search the network and install and execute the ransomware on as many appliances as possible to maximize the disorder caused. A ransom demand is then put on the desktop. Ransoms of between $5,000 and $50,000 are usually asked, depending on the level of encryption.

The FBI has studied the systems of numerous SamSam ransomware sufferers and has decided in several cases there had been earlier illegal network activity unconnected to the SamSam ransomware attacks. This indicates the SamSam ransomware threat actors have bought stolen identifications that have earlier been used by other threat actors.

“Finding RDP incursions can be demanding since the malware enters through a permitted access point,” clarified DHS/FBI in the report, however, there are measures that can be taken to make systems safer.

Summary of DHS/FBI Guidance to Improve Network Safety

  • Check the network for systems that use Remote Desktop Protocol for communications and deactivate RDP, if possible
  • Close open RDP ports on cloud-based virtual machine instances with public IPs, particularly port 3389, unless there is a legal reason for keeping ports open
  • Follow cloud providers’ best practices for distant access to cloud-based VMs
  • Place all systems with open RDP ports behind firewalls and make sure VPNs are used to access those systems distantly
  • Make sure third parties that need RDP access follow internal distant access policies
  • Implement the use of strong passwords
  • Use multi-factor verification, where possible
  • Make sure software is kept modern and patches are applied quickly
  • Make sure all data are backed up habitually
  • Implement logging appliances that captured RDP logins and keep logs for 90 days. Check logs regularly for attempted incursions
  • Where possible, deactivate RDP on crucial appliances and minimize network exposure for all control system appliances
  • Adjust and restrict external-to-internal RDP links
  • Limit user permissions, particularly linked to the use of illegal/unwanted software applications
  • Use spam filtering technology to scan all electronic mail attachments and make certain the attachment extensions match file headers
  • Deactivate file and printer sharing facilities where possible. If those facilities are needed, use strong Active Directory authentication.

Technical particulars of four SamSam (MSIL/Samas.A) ransomware variations have been released (Alert: AA18-337A) to assist network defenders defend against attacks.