SamSam is a destructive piece of ransomware that is known for targeted attacks on many healthcare, education and government organisations. The attacks aim to break into and examine a victim’s network, before deploying the ransomware.
SamSam isn’t like other types of ransomware, as it is used in a relatively small number of targeted attacks. Most other types of ransomware are distributed through large-scale attacks, via email spamming or phishing websites.
Attackers have used various methods of sabotage on businesses, including exploiting vulnerabilities in JBOSS systems to gain privileges and access to networks. Then, once the vulnerabilities have been fixed, the attackers move to the dark web to buy lists of vulnerable servers with insecure RDP connections. They then launch brute force attacks on ‘weak’ machines, and gain access to the network.
The attackers use different hacking tools and spend time working on ways to elevate their privileges on the network, until they are Domain Admin. Once they have this access, SamSam attackers then wait for evenings or weekends to launch the malicious code via the hacked servers into the victim company’s machines.
The ransomware encrypts document files, images and work data, and also config and data files that are required for running applications like Microsoft Office etc. Once the attack has been launched, the SamSam attackers ask for ransom in the form of Bitcoin, in order to relinquish control.
SamSam has made over $6 million in Bitcoin since late 2015, according to the research report.
How to protect your business
- Always patch your servers and run regular system and application updates.
- Lock down RDP:
Limit access to people that need it.
Access RDP using a VPN (limited to specific IP addresses, ranges etc.
Have security policies for accounts that are not in use.
Don’t allow Domain Admin accounts to use RDP.
Have multi-factor authentication.
Monitor and limit password access attempts.
Automatically lock accounts after several failed log in attempts.
- Carry out vulnerability scans.
- Regular penetration testing.
How Hyve can help
Hyve includes free DDoS protection as standard. If you need further security protection, we additionally offer Firewalls, Intrusion Prevention System, Intrusion Detection System, Malware Protection, AV, Encryption and VPN services as part of our comprehensive security suite. Please get in touch to discuss how we can help secure your business.