The Department of Homeland Security (DHS) has issued an alert about SamSam Ransomware. The SamSam actors have targeted multiple industries in the United States, but also internationally. The attackers use Remote Desktop Protocol (RDP) to access and exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection. Analysis of tools found on victims’ networks indicated that successful cyber actors purchased several of the stolen RDP credentials from known darknet marketplaces.
There are several techniques that, when used together, can effectively thwart a SamSam attack. First and most importantly, disable inbound RDP access from the public Internet for both on-premises and cloud-based servers. Enable strong passwords and account lockout policies to defend against brute force attacks, and if possible, enable multifactor authentication. Regularly apply system and software updates and maintain a good backup strategy. Ensure that user accounts don’t have administrator privileges. Finally, scan for and quarantine suspicious files and email attachments.
Symplexity believes that our standard Symplexity Secure configuration, patching, and protective tools and procedures have hardened our managed security service clients’ environments against a SamSam attack. Utilizing Cisco Threat Response functionality, our SOC investigated the file IOCs and found no matching instances in our client environments protected by Cisco AMP. Both Cisco AMP and Trend Micro Endpoint Security will detect and quarantine these SamSam variants.
If you have questions about your existing protections, or to learn how Symplexity can help to improve security visibility and control within your organization’s environment, contact us today at firstname.lastname@example.org or 260-432-1364.