As ransomware attacks continue to increase, hospitals, government, and universities are bracing themselves as they might be the next target of the latest SamSam ransomware attack.
What is this SamSam Ransomware Attack?
First released in late 2015 this ransomware attack is believed to reside in Eastern Europe.
It is a high-risk attack designed to infect unpatched servers. What makes SamSam different is that it isn’t distributed in spam email. Instead, the attackers behind SamSam have avoided every user interaction. They prefer a more direct route by identifying vulnerable servers and gaining access via weak or stolen credentials.
SamSam has seen a huge spike this year and now pose a serious threat to several organizations.
We see this group more as an opportunistic attack vector -Jeremy Koppen, principal consultant at a FireEye company
Here is a screenshot of how the ransom splash screen looks:
The Victims of SamSam Ransomware Attack
This year SamSam has been deployed in more than eight cyber attacks in the US.
Which include an ICS, 2 hospitals, the City of Atlanta and Colorado Department of Transportation (attacked twice).
It took weeks and millions of dollars to get these departments back in function.
Suffered the Most:
Atlanta city was affected the most by this ransomware infection which resulted in the loss of access to files and outages to several online systems and services.
Richard Cox, Atlanta Chief Operations Officer announced that the infection was primarily impacting services related to paying city bills and accessing court information online.
It was revealed that attackers are demanding payments of $6,800 in exchange for decrypting files on each infected computer. Another option was of paying $51,000 in exchange for decryption keys for all the computers infected during the attack.
Atlanta spent more than $2.6 million on emergency efforts to respond to this ransomware attack.
— City of Atlanta, GA (@CityofAtlanta) March 22, 2018
How SamSam Ransomware Works?
Earlier SamSam group used JexBoss (an open source JBoss exploitation tool).
Now they use a wide range of applications to conduct an investigation on victim’s network.
According to the research, SamSam group is using any or all of the following tools:
- Mimikatz – A tool to extract passwords and pins
- reGeorg – A reverse proxy script
- PsExec – Launch interactive command prompts on remote systems
- RDPWrap – Allows console and remote RDP sessions
- PsInfo – Help gather information about local or remote systems
- NLBrute – An exploit tool for public-facing RDP instances
- CSVDE – An Active Directory tool
- PowerSploit – A collection of PowerShell scripts
Total Money Extorted
Attackers are increasing ransom charge with every attack. Total ransoms paid are around $6 million in Bitcoin. And these are only those that were reported to the officials.
The profits break down like this:
How to Protect Yourself from SamSam Ransomware
We have listed down some ways in which organizations can protect themselves from these attacks
- Create offline and offsite backups
- Have a solid patch management program and work towards decreasing the time gap between a patch release and its deployment.
- Provide proper staff training- they need to have a basic knowledge about security issues and threats
- Have a spam filter for email-based attacks
- Change default passwords on all your services
- Use Multi-factor authentication
- Disable unnecessary exposed services facing the Internet
Not sure if your server is vulnerable? Or don’t know how to install a security patch?
Get in touch with us before it’s too late!