Although most of the damage inflicted by ransomware is done in untargeted, scattergun attacks using software like Locky and GlobaImposter, devastating, sniper-like targeted attacks are on the rise.
In a targeted attack crooks select a vulnerable organisation and tailor their approach to cause maximum damage and disruption. Working in this way, the crooks are able to minimise their exposure while extorting high ransoms.
A popular tool for hackers working in this way is SamSam ransomware, also known as Samas.
SamSam attacks are relatively rare and seem to be focussed on the healthcare, government and education sectors. No two attacks are the same although there are common elements between them. The SamSam software configuration and ransom demands vary from one victim to the next and ransom demands are as high as $60,000.
The bitcoin addresses associated with SamSam have received over $1 million in ransom payments just this year.
Because of the nature of the attacks, precise details are scarce. SophosLabs has been investigating the recent attacks and have discovered new information about how the ransomware has evolved over the last few months. For more details on this please see our whitepaper SamSam ransomware chooses its targets carefully.
Although the hackers’ approach varies from target to target, preying on their specific weaknesses, there are common threads that are worth paying particular attention to.
1. Lock the door
SamSam attacks often start with the attackers exploitingweak passwords on RDP accounts, so:
- If you don’t need RDP, turn it off.
- Make sure users have strong passwords.
- Enable two-factor authentication (2FA) wherever you can.
- Only accept RDP connections from authorised computers.
- Set a lockout policy to limit the rate at which passwords can be tried.
2. Fix any leaks
The SamSam attackers are also thought to have gained entry to targets’ networks by exploiting Java deserialisation vulnerabilities and unpatched JBoss systems, using vulnerabilities such as: CVE-2010-0738, CVE-2012-0874 and CVE-2010-1428.
Of course it’s sensible to assume that the SamSam hackers will exploit any public-facing vulnerability that serves their purposes so this isn’t an exclusive list – the usual advice about staying on top of your patching applies.
3. Keep things clean and tidy
If an attacker gains access to your network then stopping the attack is rarely a simple matter of detecting a single, obviously malicious file. Many of the tools used in SamSam attacks are used precisely because they’re legitimate pieces of software that are already on your network, such as PsExec, Powershell, WScript or CScript.
If you’re a Sophos customer you can use Application Control to configure your organisation’s access to legitimate applications, ensuring, for example, that the admins who need Powershell have access to it and normal users don’t.
SamSam has been seen using PsExec to help it spread across networks. By default PsExec is detected by our products as a Potentially Unwanted Application (PUA) and will be blocked.
Admins should make sure they have PUA scanning enabled and that PsExec hasn’t been added to the authorised list. If you need to use PsExec you can authorise it for just the users who need it and then revoke that authorisation when you’re done.
4. Get a good guard dog (or two)
Each layer of security you have is designed for a different type of threat and a strategy of defence in depth that employs multiple, overlapping layers of protection is, as ever, the best approach.
Sophos Endpoint and Server blocks current versions of SamSam as Troj/Samas-F, Troj/RansRun-A and Mal/Kryptik-BV.
Customers with Intercept X or Exploit Prevention are protected against SamSam by our anti-ransomware protection CryptoGuard.
For customers with Central Server Advanced licenses, Server Lockdown (allowlisting) can be deployed to harden your servers against unauthorized changes.
Customers using Sophos Central in combination with the XG Firewall, can use the Security Heartbeat™ feature, which enables your endpoints to communicate with your firewall, to create policies that automatically isolate a machine if a detection is reported, quickly containing any threat.