Last week we talked about how the vulnerability is the target, and that remains true.
Of course, once someone has hacked your system and has found a way in, it might become a different story. For example, most ransomware is randomly targeted, and nets between $17,000 and $500,000 per attack, with the average attack on a business netting $133,000.
However, once the perpetrators of the SamSam ransomware gain access to a victim’s systems, their first act is to check to see if the victim met their minimum threshold to continue the attack.
About SamSam Ransomware
If a client meets the $30,000 minimum threshold, then the SamSam team customizes their attack to ensure maximum mayhem and minimal detection.
The customized nature of the attack prevents endpoint detection with basic signature-based antivirus programs (Microsoft Defender, etc.). And, to further complicate matters, with each public exposure of a SamSam attack (i.e.: City of Atlanta, Colorado Department of Transportation, etc.), the creators appear to launch an updated version of the SamSam Ransomware to make detection and prevention even more difficult.
The methodology for each attack tends to be unique, but only because the perpetrators are opportunistic.
Their general modus operandi, or method, remains consistent from attack to attack, as was detailed by Sophos’ Andrew Brant’s in-depth analysis in November 2018:
-Obtain a foothold in the system (various techniques)
-Evaluate target’s ability to pay (typically English-speaking victims, primarily US-based, $30k+)
-Compromise network through brute-force RDP or targeted exploits
-elevate privileges – especially Domain Controller credentials
-find exposed servers or assets
-Launch a simple attack to verify control of the systems (such as place a text.txt file on each machine)
-Launch a full attack – typically late at night, one weekends or on holidays when system administrators are not in position to defend against the attack.
SamSam Course of Action
The SamSam attack team originally exploited JBoss vulnerabilities before drifting to Microsoft IIS and FTP vulnerabilities, and even RDP instances exposed to the public.
The SamSam attackers manually supervise the attacks and quickly make adjustments to deal with the local environment. For example, in a 2017 attack, the company’s endpoint monitoring tool scanned the machine and initially detected the use of Mimikatz by the SamSam attackers.
They recognized the detection and modified the registry to disable the endpoint tool scan so they could continue the attack undetected.
SamSam Ransomware encryptions also go above and beyond the usual ransomware encryption of user files that can be recovered using a backup. SamSam also encrypts everything else that was not required to keep the machine functioning so that installed applications also become unusable on the endpoint.
This would require a full endpoint restore of all installed software and extends the recovery time for each user. Faced with the prospect of weeks of recovery time, paying the ransom begins to become attractive.
The SamSam attackers are also economically sophisticated enough to adjust their ransom so that the decryption is expensive, but attractive compared to the full price for recovery. For Hancock Health, the four BitCoins required to restore each endpoint ($56,707.40 in total) was a reasonable price to pay to restore all of their hospital systems within 2 hours of the infection.
After all, the human and reputation costs of an inoperable hospital would be added to the monetary costs of a manual restoration.
Protecting Your Environment
So how do you protect your environment?
Start with these solutions:
- Keep patches up to date
- Have robust password policies and multifactor authentication
- Close all access to RDP from outside the firewall
- Detect the breach as quickly as possible
- Spot anomalies in the use of administration tools and user credential promotions
- Keep users on the least privileged level to minimize compromised user ID access to critical systems
- Periodically assess the network and verify publicly-accessible ports and protocols
Ideal’s services are designed to help your organization prevent SamSam attacks through:
- Installation and configuration of the latest firewall technology through a new network design
- Managed Services to monitor network and server environments
- Managed Security Services through our Blue Bastion division to provide the most thorough protection.
On average, it takes over 190 days to identify a data breach, and another 69 days to contain it.
Companies that contained a breach in 30 days or less saved over $1 million, compared to those that took over 30 days to resolve the issue.
It takes the right plan with the right team to keep your business safe and secure.