How to Stop Iranian ‘SamSam’ Hackers from Taking your Network for Ransom
SamSam – sounds cute, right? Well, it’s not. SamSam is a destructive ransomware that affected more than 200 victims across the US, including hospitals, city governments, and other organizations in 2018. On November 28, the US Department of Justice has charged two Iranian nationals with computer hacking offenses in connection with the global SamSam ransomware outbreak. The alleged criminals are currently in Iran, out of the reach of US law enforcement, and I doubt the two suspects will travel to the U.S. to face questioning. I also doubt that these attacks will stop. So, it’s important to understand how this attack operates and implement some protective measures.
Compromising the First Endpoint
SamSam targets computers that are open to remote desktops from the internet. Finding such endpoints is super easy: free tools like Shodan can provide a list of such machines. As of today, there are 2,475,311 records of remote desktops open to the Internet in Shodan. The passwords to these desktops can be hacked with brute-force attacks or simply purchased on the dark web. The increased use of cloud environments puts organizations at risk, because a reckless admin could easily expose a machine in the cloud without protecting access to it from the internet.
Moving Deeper into the Network
SamSam doesn’t only encrypt the files of a single infected endpoint. Once the endpoint is compromised, SamSam utilizes stolen credentials and exploits vulnerabilities like EternalBlue to move laterally across the network. It uses “feed of the earth techniques” i.e. existing administration tools. This enables the ransomware to reach more valuable servers that hold more valuable data. Instead of holding one computer hostage, it takes over the entire network.
Backups are often thought of as being a defense mechanism against ransomware. However, the ability to move laterally in the network also enables SamSam to reach these backups and render them useless. A victim whose backups were encrypted, would have to pay the ransom, or lose the data.
SamSam Mitigation Costs Exceed the Ransom Payment
So far, the hackers made more than $6M in ransom. However, the costs to impacted organizations are much higher, because after paying the ransom and unlocking their files, they also need to make sure that the threat is completely removed from their networks. When the city of Atlanta was infected, they spent a total of $17M in efforts to resolve the incident, even though the ransom requested was much lower than that.
In addition to the costs of the ransom, there is the obvious cost of the outage inflicted until the threat is removed. Perhaps that’s one of the reasons the malware is attacking so many healthcare providers – they can’t afford to go down.
How to protect your organizations from SamSam Ransomware?
- Backup your data offline: If you’re counting on your backups to save you from ransomware, you need to make sure that the attacker won’t get to your backups as well. Keep in mind that saving your backups in the network, means that they are exposed to ransomware just as much as any other data in the network.
- Identify remote desktop servers that are exposed over the internet: Find a way to discover remote desktops that are exposed over the internet. An exposed remote desktop will be subject to a brute-force attack within hours of the exposure over the internet. So, a good way to identify internet-exposed remote desktops is to look for brute-force attacks. Silverfort can help you do that.
- Protect RDP Access by Enforcing Multi-Factor Authentication – if you have to expose a remote desktop to the internet, use a VPN or a bastion host. These prevent direct network access to the machine. But password-based authentication isn’t enough. You should also add MFA to validate that the credentials are indeed used by a legitimate user. Silverfort enables you to add MFA to these systems without any agents.
- Prevent lateral movement – Enforcing MFA on the use of administrative tools such as PSExec can effectively block such attacks. However, traditional MFA solutions can’t be implemented for such tools. Silverfort’s agentless MFA platforms can be easily extended to these tools as well.
- Protect access to your sensitive data – Enforce MFA for any access to sensitive resources, including databases, and file shares.
To find out how Silverfort can protect your organization against SamSam and other threats, contact us today.