Threat Advisory: SamSam Ransomware

December 4, 2018

The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) have recently issued a US-CERT alert on the SamSam ransomware. SamSam has targeted multiple industries since its initial release, including critical infrastructure. 

According to the US-CERT, the SamSam ransomware exploits Windows servers to gain persistent access to a victim’s network and infect all reachable hosts by using the JexBoss Exploit Kit to access vulnerable JBoss applications. Threat actors behind SamSam have also used Remote Desktop Protocol (RDP) to gain access to victims' networks, making it more difficult to detect since the malware uses an approved access point to gain access to the system. Once the hackers have access, they escalate privileges for administrator rights, drop the malware on the server, and run an executable file. 

In order to successfully intrude on the victims' networks through RDP, threat actors behind SamSam purchased many stolen RDP credentials from the Dark Net, giving them means to infect a network within hours of the purchase. 

Technical Details

The US-CERT has published several SamSam Malware Analysis Reports to date. Herjavec Group recommends reading through the following reports for an in-depth technical analysis on the SamSam variants. 

Mitigations

Herjavec Group recommends the following strategies to mitigate against the SamSam ransomware: 

  • Enable strong passwords and account lockout policies to defend against brute-force attacks.
  • Where possible, apply multi-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good back-up strategy for all systems and data.

For a full list of mitigation strategies, please click here

For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.

CONNECT WITH US

 

In wake of the SamSam ransomware and the rising uptick seen with this type of cyber attack, we also recommend that the C-Suite ask themselves:

  • Do you have a corporate policy on ransomware?
  • Are your remote administration techniques (such as RDP) secure and protected from the Internet?
  • Are your privileged accounts protected from unauthorized access?
  • Can you quickly detect and respond to unauthorized software in your environment?

 

Herjavec Group circulates US – Cert advisories as this notification warrants attention and may have significance to your Enterprise network environment. If the following advisory is applicable to your environment, Herjavec Group recommends your IT team review the technical details included and monitor your environment for any susceptible systems. Herjavec Group’s analysts are working with applicable vendor partners to apply detection and mitigation strategies where appropriate. For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group.


About Herjavec Group

Dynamic entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. We have been recognized as one of the world’s most innovative cybersecurity operations leaders, and excel in complex, multi-technology environments. Our service expertise includes Advisory Services, Technology Architecture & Implementation, Identity Services, Managed Security Services, Threat Management and Incident Response. Herjavec Group has offices and Security Operations Centers across the United States, United Kingdom and Canada.

Stay Informed

Follow us on Twitter

Connect with us on LinkedIn