Ransomware Alert – SamSam Advisory from Homeland and FBI

The SamSam ransomware is making the rounds. The US Department of Homeland Security and the Federal Bureau of Investigation have released an alert through the US Computer Emergency Readiness Team (CERT).

SamSam, also known as MSIL/Samas, has targeted multiple industries across the United States. Healthcare organizations have been impacted by this ransomware in the past.

What does this ransomware do?

It first begins by scanning IP addresses for open RDP, remote desktop, ports. It then begins to attack these ports until it gains access to the server. From there, it will drop malware onto the server to take over the server. It will then begin to spread across the network to infect other computers on the same network. It does all of this without any user help and is capable of running completely automated.

It is difficult to detect this malware because it will access the network through normal channels like remote desktop. This ransomware doesn’t rely on any user doing something such as clicking on an email.

This malware doesn’t exploit any specific holes in software such as those addressed by Windows updates. It relies almost exclusively on breaking passwords to gain access to a server and network.

How can you protect yourself from SamSam?

DHS and FBI recommend that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. System owners and administrators should review any configuration changes before implementation to avoid unwanted impacts.

  • Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Where possible, apply two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good back-up strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., t

You can read the full ransomware alert here – Alert (AA18-337A) SamSam Ransomware