The Department of Homeland Security and the Federal Bureau of Investigation issued a security alert warning bad actors are using SamSam ransomware to target industries across the United States and worldwide.
Impacted industries include critical infrastructure, given the likelihood of paying ransoms may be greater for those who provide essential services.
According to previous FBI analysis going back to 2016, the bad actors exploit Remote Desktop Protocol (RDP) on Windows servers to gain persistent access to victim’s network and then infect other reachable hosts. Hackers will typically use brute force attacks or stolen login credentials.
“After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection,” as noted in the US-CERT alert.
SamSam actors will typically demand a ransom payment to decrypt the encrypted files. After victims make the payment (in Bitcoin), the victims usually receive a link to download tools and cryptographic keys that can be used to decrypt their data on their network.
Quite a few mitigations are recommended to thwart potential SamSam attacks, to include making sure no public-facing RDP ports, using VPNs for external-to-internal RDP access, two-factor authentication (for RDP access), strong passwords, enforce account lockout policies, and logging/monitoring of RDP access, just to name a few.