DHS/FBI Published a New Alert Against SamSam Ransomware Attacks

At the end of November, the Department of Justice charged two Iranians in connection with the SamSam ransomware attacks. However, the attacks are unlikely to let up. Because of the high risk of persistent SamSam ransomware attacks in the USA, the Department of Homeland Security (DHS) and FBI issued a new advise to critical infrastructure organizations concerning the SamSam ransomware.

Thus far, over 200 SamSam ransomware attacks had occurred, the majority of which were on businesses and organizations in the USA. The threat actors responsible for the SamSam ransomware attacks already obtained ransom payments in the amount of roughly $6 million. The attacks already generated over $30 million in financial losses because of the downtime of computer systems.

The primary methods of attack use the JexBoss Exploit Kit on insecure systems. Lately, attackers use Remote Desktop Protocol (RDP) to obtain persistent systems access. Access via RDP is obtained by purchasing stolen credentials or brute force attack.

Once access is obtained, the attacker gets administrator rights to explore the network, then releases and installs the ransomware on many devices possible to maximize the disruption brought about. Then, the attacker displays the ransom demand on the desktop. The amount of ransom demanded is usually between $5,000 and $50,000, depending on the severity of encryption.

The FBI examined the systems of a lot of SamSam ransomware victims and identified in many instances that there were prior unauthorized system activity not associated to the SamSam ransomware attacks. This implies that the SamSam ransomware threat actors used stolen credentials previously used by other threat actors.

To make more secure systems, DHS/FBI published its recommendations to improve network security. Below is the summary.

  • Review the network to find systems that utilize Remote Desktop Protocol for communicating and deactivate RDP, if possible
  • Close open RDP ports on cloud-based virtual machine instances that have public IPs, particularly port 3389, unless there’s a legitimate reason for having open ports
  • Follow cloud providers’ guidelines for cloud-based VMs remote access
  • Find all systems having open RDP ports behind firewalls and be sure to use VPNs when accessing those systems remotely
  • Make sure that third parties requiring RDP access to follow internal remote access guidelines
  • Implement using strong passwords
  • Employ multi-factor authentication, wherever possible
  • Upadate software and apply patches promptly
  • Back up all data regularly
  • Use logging mechanisms that capture RDP logins and maintain logs for 90 days. Monitor logs on a regular basis for attempted attacks
  • Wherever possible, deactivate RDP on critical devices and reduce system exposure for all control system devices
  • Control and restrict external-to-internal RDP connections
  • Limit user permissions, particularly associated with using unauthorized/unwanted software programs
  • Scan all email attachments using spam filtering technology and be sure to match file headers to the attachment extensions
  • Deactivate file and printer sharing services wherever possible. When requiring those services, use strong Active Directory authentication
  • Know the technical details of the four SamSam (MSIL/Samas.A) ransomware variants to protect against attacks