The FBI and Department of Homeland Security (DHS) have issued an alert for SamSam ransomware also known as MSIL/Samas.A.
The alert, issued Monday, describe how hackers armed with SamSam targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but international attacks also occurred, the alert says.
The FBI and DHS alert comes only a few days after the U.S. Justice Department charged two Iranian nationals as the masterminds behind the recent SamSam ransomware attacks. On a related note, the cyber kidnappers behind SamSam ransomware attacks in Atlanta and Colorado earlier this year have hit nearly 70 organizations in the last 10 months, according to Symantec.
How SamSam Ransomware Attacks Happen
During a typical attack, the alert says:
- The actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts.
- Cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications.
- Cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks.
- The hackers typically used brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point.
- After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization.
SamSam Ransomware: Technical Details
Within the same alert, the The National Cybersecurity and Communications Integration Center (NCCIC) recommended cybersecurity professionals review four SamSam Malware Analysis Reports:
- MAR-10219351.r1.v2 – SamSam1
- MAR-10166283.r1.v1 – SamSam2
- MAR-10158513.r1.v1 – SamSam3
- MAR-10164494.r1.v1 – SamSam4
SamSam Ransomware: Mitigations
The DHS and FBI alert included 14 steps that cybersecurity professionals should take to mitigate the risk of a SamSam infection.