“SamSam ransomware is still plaguing organizations across the US, with fresh attacks against 67 new targets -- including at least one involved with administering the upcoming midterm elections…” That was the lead line in a recent ZDnet article, evidencing that SamSam ransomware is still a major menace.
We previously examined the SamSam ransomware family (a.k.a. Samsa and Samas) back in 2016 following several notable and high profile attacks. The attackers utilizing the ransomware primarily targeted the healthcare industry, but there are plenty of campaigns that deviate from that focus.
SamSam Defense Pro Tips
The following are measures that can be taken to help prevent being a victim of SamSam. It is important to remember there is no one-size-fits-all solution to preventing ransomware, since every organization has a unique security architecture and faces their own unique security challenges, but these tips can help in developing a strategy.
1. Patching and Scanning
Ensure that every single externally-facing application and service is kept patched for any vulnerabilities, especially RDP and JBOSS, Java Server Faces – JSF, Seam Framework, RMI over HTTP, Jenkins CLI RCE, Remote JMX - the most historically common foothold vectors for SamSam. Leverage services like Shodan to proactively scan your own organization for vulnerable externally-facing services.
2. Multi-Factor Authentication
Ensure that Two-Factor Authentication (2FA) is required on all externally-facing applications. This helps prevent attackers from simply purchasing credentials on the Deep Dark Web (DDW), as well as preventing against the common brute-forcing methods that SamSam attackers leverage.
3. Prevention Over Detection and Response
Leverage today's predictive AI technologies to predict malware payloads and prevent them from ever executing. An attacker will always find a vulnerable service over the course of time, but they aren't able to outpace today's AI that is able to detect and prevent malware on average 25 months before it is found in the real world.
Regardless of the "vulnerability du jour" they use to gain foothold, the SamSam attacker's core payload still won't be able to run, and devices will not be encrypted.
4. Due Diligence
Leverage third-party DDW scanning services that proactively scour for compromised credentials and for-sale shell accounts, RDP accounts, etc., associated with your organization.
5. Be Prepared for the Fileless
Leverage AI-powered detection for fileless attacks (a.k.a. "living-off-the-land" attacks) that are used by SamSam and other actors. Today's AI-based solutions can spot permutations of 1-liner attacks that would take a human analyst hours to spot and realize that it is malicious.
AI can help organizations automate detection of these kinds of tactics, and even prevent their child processes from subsequently executing, all in real-time, without the need to send data to the cloud for 'after the fact' correlation, enrichment, and analysis.
Put another way, AI allows organizations to proactively prevent attacks that are in-flight, by autonomously interjecting the kill-chain at machine speed and do so with local intelligence at the edge.
6. Have an Incident Containment Retainer in Place
Make sure to have an Incident Containment (IC) or Incident Response (IR) retainer in place such that in an organization's time of need, third-party resources can be quickly ascertained to help navigate an incident.
When a devastating attack like SamSam hits an organization, it isn't the same as when an individual machine or a small department gets hit with ransomware - it affects the entire organization - their upstream and downstream customers and suppliers, shareholders, legal, and all else in between.
For some businesses, navigating a SamSam event correctly can make the difference between staying in business or saying goodbye to it. Having an IC Retainer in place removes any legal red-tape with your IC vendor and provides firm Service Level Agreement (SLA) response times as well.
7. The Limitations of Backups
You will often hear pundits say things like "The best way to combat ransomware is with having online backups that can immediately restore systems when ransomware hits". Beware of heeding this advice when it comes to addressing a threat like SamSam whose actors delete over forty different types of backup files before they ever encrypt a thing.
If you do leverage a backup strategy, then make sure to keep mission critical backups stored both offline and offsite. Relying on Windows Volume Shadow Copy Service (VSS) or relying on end-users to back up key files to mapped share drives, etc., is a recipe for disaster against such a threat. Also, be sure to test restoring your backups in a real-world situation or as part of a Table Top Exercise (TTX).
Too many times organizations have online backup solutions in place and when it comes time to restore them, they quickly find out that restoring terabytes over the wire isn’t as feasible as their solution made it sound. It is important to know how quickly you are able to recover from an incident like this should the need arise.
The irony with leaning on a backup strategy as a primary means of reducing risk, is that by doing so, the victim organization is easily left out in the cold and in a panic when those backup files are deleted - exactly what the SamSam actors leverage when they ask for ransom amounts in the tens of thousands of dollars.
8. A Word About End User Training
A lot of emphasis gets put on training end-users "not to click stuff", but remember two things here:
- Even the best-trained end-users will still click on malicious content, visit malicious websites and make mistakes: this is what humans do when they work long, hard and fast to accomplish daily tasks.
- Threats like SamSam prove without a doubt, that no amount of end-user training and awareness will prevent a compromise that uses similar TTPs. We need to shift from blaming our end-users, to blaming our technology stack for not being patched, not having 2FA enabled, and not having sufficiently effective prevention capabilities against malware payloads like those used by SamSam.
9. Malware and Attackers Evolve
Realize that SamSam TTPs will change and adapt to new vulnerabilities that come out in externally-facing services over time. Similar to how PyRoMine and other crypto-currency miners leverage vulnerabilities like the NSA-leaked EternalRomance, SamSam actors look for organizations that remain unpatched for vulnerabilities that have wide distribution.
It would not be surprising, for example, for SamSam actors to target an unpatched Redis server, or even to have leveraged EternalRomance to target RDP via Remote Code Execution (RCE), instead of the more standard Brute Forcing or credential theft means.
This is primarily because SamSam actors perform a lot of manual infiltration activities in order to target, gain foothold, and persist undetected, as well as move and spread laterally to gain as much foothold as possible before initiating the encryption activity.
In other words, these are adaptable human threat actors that target weak organizations; not spray-and-pray automated, opportunistic mal-spammers. They adapt, and they fully understand and exploit the concepts of leverage and ransom: the more estate that they can encrypt, the more likely the organization is to panic, be on its heels, and pay the ransom.
We've seen SamSam actors wait months before initiating the encryption routines. During these months, the attacker is actively working to jump network segments and affect more of the enterprise or production/OT networks. More recently, encryption routines are being launched very late in the evening, local to the victim's time zone, likely to avoid detection during waking hours.
We've also seen them re-target organizations whom have paid in the past. We've even seen an instance where the attacker tried multiple versions of SamSam malware to bypass a host's defenses, downloading a total of six unique binaries all during the same compromised RDP session. When one payload failed, they tried another, and another, until they packed one in such a way so as to bypass the host defense.
These are persistent actors with tried and tested TTP's for gaining entry into an organization. They are also adept at negotiating with victims and tend to "price the ransom amount to perfection" - knowing not to demand too much, yet extorting the maximum amount out of the organization.
Conclusion
SamSam continues to evolve as we head into 2019. The same actors have made many millions from keeping to their core strategy of targeting vulnerable organizations, destroying backups, and leveraging even human life and safety to extract payment from victims.
SamSam represents one of the most consistently effective human-conducted, targeted criminal campaigns to date. The actors take every precaution to avoid having their actions attributable to them and intend to stay in it for the long game.
The good news is that these types of attacks are entirely preventable with the right best practices (namely 2FA), patching, and AI-enabled endpoint-protection.
By Cylance's Scott Scheferman (senior director of global services for Strategic Accounts) and Trevin Mowery (principal consultant, Incident Response and Forensics). Read more Cylance blogs here.