The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) this week issued an alert on activity related to SamSam, one of the most prevalent ransomware families at the moment.
Associated with numerous attacks on health, education and government organizations, SamSam was recently said to have impacted the private sector the most. Over the past couple of years, the actor behind the malware supposedly netted more than $5.9 million.
Last week, the U.S. Department of Justice charged two Iranian men – Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri – over their alleged role in the development and distribution of SamSam for extortion purposes.
In the newly published activity alert, the DHS and the FBI note that the SamSam operators targeted multiple industries, including entities within critical infrastructure. Most of the victims were located in the United States, the alert says.
The reason the actors are targeting organizations is that network-wide infections are more likely to garner large ransom payments when compared to infections of individual systems. Furthermore, organizations are more likely to pay large ransom amounts as they need to resume operations quickly.
To gain persistent access to a victim’s network, the actors target vulnerabilities in Windows servers. In early 2016, they were targeting vulnerable JBoss applications, but in mid-2016 they started using Remote Desktop Protocol (RDP) for their attacks, via brute force or stolen credentials.
Once inside a network, the alert reveals, the actors escalate privileges for administrator rights, after which they drop and execute malicious files onto the server, without victims’ action or authorization. The use of RDP eliminates the need for user interaction to execute the ransomware and also ensures the attack remains undetected.
According to the alert, the SamSam operators appear to have purchased stolen RDP credentials from known darknet marketplaces. The investigation into attacks revealed that the actors can infect a network within hours of purchasing the credentials.
The SamSam actors leave ransom notes on the encrypted machines, to instruct victims into contacting them through a Tor hidden service site. They also demand a ransom be paid in Bitcoin, in exchange for which the actors provide victims with links to download cryptographic keys and tools to decrypt their network.
The DHS National Cybersecurity and Communications Integration Center (NCCIC) also published a series of malware analysis reports detailing four SamSam malware variants.
The DHS and FBI alert also includes a series of mitigation recommendations, such as auditing the network for systems that use RDP, ensuring that cloud-based virtual machine instances with public IPs have no open RDP ports, using strong passwords and two-factor authentication, keeping systems updated, and maintaining a good back-up strategy, among others.