In late November, the Department of Justice indicted two Iranian threat actors over the use of SamSam ransomware. However, Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) are urging organisations that the threat of further SamSam attacks on US organisations still looms large.
The SamSam ransomware group exploits vulnerabilities and conducts brute force remote desktop protocol (RDP) attacks to gain access to systems, then investigates networks and moves laterally before manually deploying ransomware on as many computers as possible.
There are over 200 SamSam ransomware attacks on record. The threat actors behind SamSam ransomware have received approximately $6 million in ransom payments and the attacks have resulted in more than $30 million in financial losses from computer system downtime.
The malware was brought to the forefront of public attention when it was used to crippled the City of Atlanta in an attempt to extort tens of thousands of dollars from the local government earlier this year. The clear-up costs of the attack on the City of Atlanta are expected to be in excess of $10 million.
In addition to the infamous attack on the City of Atlanta, the gang has targeted the cities of Newark and New Jersey, the Colorado Department of Transportation, and the Port of San Diego. Healthcare industry victims include Hancock Health, Adams Memorial Hospital, Kansas Heart Hospital, Allied Physicians of Michiana, Cass Regional Medical Center, Nebraska Orthopedic Hospital, LabCorp of America, Allscripts, and MedStar Health.
The main methods of attack have been the use of the JexBoss Exploit Kit on vulnerable systems, and more recently, the use of Remote Desktop Protocol (RDP) to gain persistent access to systems. Access through RDP is achieved through the purchase of stolen credentials or brute force attacks.
Once access is gained, privileges are escalated to gain administrator rights. The threat actors then explore the network and deploy and execute the ransomware on as many devices as possible to maximize the disruption caused. A ransom demand is then placed on the desktop. Ransoms of between $5,000 and $50,000 are usually demanded, depending on the extent of encryption.
Analysis completed by the FBI on the systems of many SamSam ransomware victims has revealed that, in many cases there has been previous unauthorized network activity unrelated to the SamSam ransomware attacks. This suggests the SamSam ransomware threat actors have purchased stolen credentials that have previously been used by other threat actors.
“Detecting RDP intrusions can be challenging because the malware enters through an approved access point,” explained DHS/FBI in the report, but there are steps that can be taken to make systems more secure.
Summary of DHS/FBI Advice to Improve Network Security
- Audit the network for systems that use Remote Desktop Protocol for communications and disable RDP, if possible
- Close open RDP ports on cloud-based virtual machine instances with public IPs, especially port 3389, unless there is a valid reason for keeping ports open
- Adhere to cloud providers’ best practices for remote access to cloud-based VMs
- Locate all systems with open RDP ports behind firewalls and ensure VPNs are used to access those systems remotely
- Ensure third parties that require RDP access adhere to internal remote access policies
- Enforce the use of strong passwords
- Use multi-factor authentication, where possible
- Ensure software is kept up to date and patches are applied promptly
- Ensure all data are backed up regularly
- Implement logging mechanisms that captured RDP logins and retain logs for 90 days. Review logs regularly for attempted intrusions
- Where possible, disable RDP on critical devices and minimize network exposure for all control system devices
- Regulate and limit external-to-internal RDP connections
- Restrict user permissions, especially related to the use of unauthorized/unwanted software applications
- Use spam filtering technology to scan all email attachments and make sure the attachment extensions match file headers
- Disable file and printer sharing services where possible. If those services are required, use strong Active Directory authentication.
Technical details of four SamSam (MSIL/Samas.A) ransomware variants have been released (Alert: AA18-337A) to help network defenders protect against attacks.