The latest in a long line of funny-named ransomware, SamSam, isn’t a pet name for your pet ferret you perplexingly named Sam, it is one of the worst ransomware strains ever, and it has caught the attention of U.S. Locky seems like the son of Candado de seguridad, a character Medeco would come up with to educate kids on proper physical security. Related: U.S.The funny thing about ransomware is that they give them very strange names: Bad Rabbit sounds like the name of a villainous bunny who gets his comeuppance in some type of modern nursery rhyme, not malware that would ravage hundreds of European businesses. The DHS and FBI alert also includes a series of mitigation recommendations, such as auditing the network for systems that use RDP, ensuring that cloud-based virtual machine instances with public IPs have no open RDP ports, using strong passwords and two-factor authentication, keeping systems updated, and maintaining a good back-up strategy, among others. The DHS National Cybersecurity and Communications Integration Center (NCCIC) also published a series of malware analysis reports detailing four SamSam malware variants. They also demand a ransom be paid in Bitcoin, in exchange for which the actors provide victims with links to download cryptographic keys and tools to decrypt their network. The SamSam actors leave ransom notes on the encrypted machines, to instruct victims into contacting them through a Tor hidden service site. The investigation into attacks revealed that the actors can infect a network within hours of purchasing the credentials. The use of RDP eliminates the need for user interaction to execute the ransomware and also ensures the attack remains undetected.Īccording to the alert, the SamSam operators appear to have purchased stolen RDP credentials from known darknet marketplaces. Once inside a network, the alert reveals, the actors escalate privileges for administrator rights, after which they drop and execute malicious files onto the server, without victims’ action or authorization. In early 2016, they were targeting vulnerable JBoss applications, but in mid-2016 they started using Remote Desktop Protocol (RDP) for their attacks, via brute force or stolen credentials. To gain persistent access to a victim’s network, the actors target vulnerabilities in Windows servers. Furthermore, organizations are more likely to pay large ransom amounts as they need to resume operations quickly. The reason the actors are targeting organizations is that network-wide infections are more likely to garner large ransom payments when compared to infections of individual systems. Most of the victims were located in the United States, the alert says. In the newly published activity alert, the DHS and the FBI note that the SamSam operators targeted multiple industries, including entities within critical infrastructure. Department of Justice charged two Iranian men – Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri – over their alleged role in the development and distribution of SamSam for extortion purposes. Over the past couple of years, the actor behind the malware supposedly netted more than $5.9 million. The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) this week issued an alert on activity related to SamSam, one of the most prevalent ransomware families at the moment.Īssociated with numerous attacks on health, education and government organizations, SamSam was recently said to have impacted the private sector the most.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |