circuit board with a red bug or virus

The True Cost of SamSam Ransomware

Last year, the city of Atlanta was attacked by a group of hackers who had infiltrated their system and effectively crippled large parts of it.

They were not alone. Just last year, the United States indicted two Iranian nationals who, themselves, had carried out over 200 attacks on organizations in the United States & Canada.

The attack? SamSam Ransomware.​



What is SamSam Ransomware?

The SamSam Ransomware attack is a type of ransomware attack released in 2016 that targeted JBoss servers. Unlike other ransomware attacks, which might use phishing, or drive-by-downloads to infect machines and find vulnerabilities, SamSam used a remote desktop brute-force attack to guess passwords.

Once one password was identified, the malware makes its way through the rest of the network, using brute force and sophisticated algorithms to guess the passwords of other machines.

Once the malware has enough of a toe-hold in the network, it encrypts the information on the network, effectively preventing legitimate users from being able to access their machines.

Typically, the attackers then demand a ransom to ‘release’ the system, rendering it usable again.

Those two Iranian nationals indicted by the United States? According to the US Attorney, made over $6 million and cost their targets approximately $30 million.

Why Was the Attack Successful?

For the SamSam attack, the focus was largely on healthcare, local government organizations, and municipalities. The precise reason why those organizations were chosen is still unclear.

However, it’s not hard to imagine that organizations providing public services would be more likely to pay the ransom quickly, if for no other reason than the ransom is often priced as a ‘no-brainer.’ After all, who thinks about a measly $55,000 when life-saving systems are potentially threatened?

While many ransomware attacks are fairly indiscriminately spread (an unwitting user invites the malware), this one was specifically targeted towards the organizations assaulted.

Warning Signs

In the case of SamSam, the malware does its best to ‘blend in’ until the network is significantly compromised. After a machine is compromised, the virus may sit silently for a day or two. Or maybe a few.

Then, when the timing is right, the attackers download hacking tools onto the computers in an organization. For example, they loaded PSInfo and Mimikatz onto several machines to monitor information and steal passwords.

Then go silent again.

Until a few days later, when the encryption malware is loaded into the organization and executed across the organization. In the case of the Atlanta attack, two versions of SamSam were loaded on in case one was detected by security software.

Unfortunately, this kind of ‘random’ activity can be difficult to track which is why it’s important to have a great SIEM being monitored by a skilled security operations center team working together to identify and catch these aberrant events before they become incidents.

Protecting Your People & Your System

SamSam, like many other kinds of attacks, is made easier when lax security controls are in place. For instance, permitting weak passwords (and not rotating them), not using two-factor authentication, and not investing in user education training are ways to inadvertently expose your network to vulnerabilities.


Additionally, the US Department of Homeland Security suggests organizations:

  • Audit your network for systems that use Remote Desktop Protocols (RDP) for remote communication and disabling if possible.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389 unless there is a valid business reason to keep open RDP ports. Secure any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Use two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good back-up strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

Additionally, you want to make sure you’ve got good anti-virus protection on your machines, as well as backups of important data. While not a complete ‘security strategy,’ having backups can help reduce the cost of the attack.

Finally, you want to make sure you’re using a SIEM to monitor for abnormal events on your network, so that your security operations team can alert you to any potential threats – before they occur.

Hidden Threats and Cyber Attacks: Reveal and Respond to Some of the Hardest to Detect Cyber Attacks

Jason Miller

Jason Miller, Founder and CEO of BitLyft Cybersecurity, has dedicated his 20-year IT career, including co-founding SaaS pioneer Reviora, to removing cybersecurity barriers for mid-sized enterprises. Establishing BitLyft in 2016, Jason set out to unburden security teams with innovative, approachable, and affordable solutions, a vision which has made BitLyft a respected managed detection and response provider. Outside his cybersecurity pursuits, Jason is an avid tree farmer and outdoor enthusiast, planting nearly 300 trees on his ten-acre plot and finding joy in hiking, hunting, and driving his white Tesla Model 3. His diverse passions mirror the balanced blend of expertise, dedication, and joy he brings to BitLyft.

More Reading

hacker image of hacker person at a computer
Cybercrime Trends: How to Protect Your Business
As the digital age deepens, businesses and individuals alike are experiencing both the good and the bad that comes from emerging technologies. One of the negatives is an increase in cybercrime....
woman looking at tiktok on her phone
The Countdown To The End Of TikTok?
Over the middle few months of 2020 the social media app TikTok has grown rapidly in popularity, and videos appearing on the app have been going viral for some time. But at the same moment the app is...
Manufacturing Cyber Attacks
Popular Types of Cyber Attacks In Manufacturing
Cyber attacks are on the rise with one report suggesting that they have increased by 59%. Cyber attacks in manufacturing do not gain as much news coverage or discussion as attacks on retail stores or...