SamSam Ransomware Campaign

By   ISBuzz Team
Writer , Information Security Buzz | Oct 31, 2018 06:46 am PST

You’ve probably seen the news that SamSam ransomware is still plaguing organisations across the US, with fresh attacks against 67 new targets — including at least one involved with administering the upcoming midterm elections. IT security experts commented below.

Glen Pendley, Tenable, Deputy CTO at Tenable:

isbuzz author male 1“The latest SamSam ransomware campaign is interesting for a few reasons. For one, the cybercriminals have set up a contingency-plan-of-sorts to ensure that the attack doesn’t have a single point of failure. Instead, they’ve embedded several variations of the malware into victims’ environments making it difficult for security teams to know whether they’ve secured their network entirely.

“Like most successful attacks, it also leverages the low-hanging fruit — the foundational security practices that aren’t followed. In this case, victims with remote desktop protocol (RDP) connected to the internet are exposed. At a very basic level, security teams should ensure that RDP is not installed on internet-facing systems.

“This ransomware campaign is a reminder of the importance of complete visibility into your attack surface. You need to know what assets you have, where they’re located and what’s installed on them in order to reduce your overall exposure. It’s basic, but it can help thwart these types of attacks.”

Scott Scheferman, Senior Director of Global Services at Cylance:

isbuzz author male 1“Firstly, ensure that every single externally-facing application and service is kept patched for any vulnerabilities, especially RDP and JBOSS, the two most historically common foothold vectors for SamSam. Leverage services like Shodan to pro-actively scan your own organization for vulnerable externally-facing services. Then, ensure that 2FA (Two-Factor Authentication) is required on all externally-facing applications.

It’s important to utilise today’s predictive AI technologies to predict malware payloads and prevent them from ever executing. An attacker will always find a vulnerable service over the course of time, but they aren’t able to out-pace today’s AI that is able to detect and prevent malware on average 25 months before it is found in the real world. Leverage “pre-malware-campaign inception” AI, in other words. In this way, regardless of the “vulnerability du jour” they use to gain foothold, the SamSam attacker’s core payload still won’t be able to run, and devices will not be encrypted.

Next, leverage 3rd party DDW (Deep Dark Web) scanning services that pro-actively scour the DDW for compromised credentials and for-sale shell accounts, RDP accounts, etc., associated with your organization. It’s also advised to leverage AI-powered detection for LOL “Living off the Land” (aka “Fileless”) tactics that are used by SamSam and other actors. Today’s AI-based solutions can spot permutations of 1-liner attacks that would take a human analyst hours to spot and know that it is malicious in the context of an attack. Machine Learning can help organizations automate detection of these kinds of tactics, and even prevent their child processes from subsequently executing, all in real-time without the need to send data to the cloud for ‘after the fact’ correlation, enrichment, and analysis.”


“1) Realize that SamSam TTPs will change and adapt to new vulnerabilities that come out over time in externally-facing services. Similar to how PyRoMine and other crypto-currency miners leverage vulnerabilities like the NSA-leaked EternalRomance, SamSam actors look for organizations that remain unpatched for vulnerabilities that have wide distribution. It would not be surprising, for example, for SamSam actors to target an unpatched Redis server, or even to have leveraged EternalRomance to target RDP instead of the more standard Brute Forcing or credential theft means. This is primarily because SamSam actors perform a lot of manual infiltration activities in order to target, gain foothold, and persist undetected, as well as move and spread laterally to gain as much foothold as possible before initiating the encryption activity. In other words, these are adaptable human threat actors that target weak organizations; not spray-and-pray automated, opportunistic mal-spammers. They adapt, and they fully understand and exploit the concepts of leverage and ransom: the more estate that they can encrypt, the more likely the organization is to panic, pay, and be on its heels.  We’ve seen SamSam actors wait months before initiating the encryption routines, in an effort to jump network segments and affect more of the enterprise or production/OT networks. We’ve also seen them re-target organizations whom have paid in the past.

2) If your legacy signature/heuristic anti-virus protects you once, it may not protect you the next time. Our IR team has seen an instance where the attacker tried multiple versions to bypass a host’s defenses, all during the same RDP session. When one payload failed, they tried another, and another, until they packed one in such a way so as to bypass the host defense.”