Last year, the city of Atlanta was attacked by a group of hackers who had infiltrated their system and effectively crippled large parts of it.
They were not alone. Just last year, the United States indicted two Iranian nationals who, themselves, had carried out over 200 attacks on organizations in the United States & Canada.
The attack? SamSam Ransomware.
The City of Atlanta is currently experiencing outages on various customer facing applications, including some that customers may use to pay bills or access court-related information. We will post any updates as we receive them. pic.twitter.com/kc51rojhBl
— City of Atlanta, GA (@CityofAtlanta) March 22, 2018
What is SamSam Ransomware?
The SamSam Ransomware attack is a type of ransomware attack released in 2016 that targeted JBoss servers. Unlike other ransomware attacks, which might use phishing, or drive-by-downloads to infect machines and find vulnerabilities, SamSam used a remote desktop brute-force attack to guess passwords.
Once one password was identified, the malware makes its way through the rest of the network, using brute force and sophisticated algorithms to guess the passwords of other machines.
Once the malware has enough of a toe-hold in the network, it encrypts the information on the network, effectively preventing legitimate users from being able to access their machines.
Typically, the attackers then demand a ransom to ‘release’ the system, rendering it usable again.
Those two Iranian nationals indicted by the United States? According to the US Attorney, made over $6 million and cost their targets approximately $30 million.
Why Was the Attack Successful?
For the SamSam attack, the focus was largely on healthcare, local government organizations, and municipalities. The precise reason why those organizations were chosen is still unclear.
However, it’s not hard to imagine that organizations providing public services would be more likely to pay the ransom quickly, if for no other reason than the ransom is often priced as a ‘no-brainer.’ After all, who thinks about a measly $55,000 when life-saving systems are potentially threatened?
While many ransomware attacks are fairly indiscriminately spread (an unwitting user invites the malware), this one was specifically targeted towards the organizations assaulted.
In the case of SamSam, the malware does its best to ‘blend in’ until the network is significantly compromised. After a machine is compromised, the virus may sit silently for a day or two. Or maybe a few.
Then, when the timing is right, the attackers download hacking tools onto the computers in an organization. For example, they loaded PSInfo and Mimikatz onto several machines to monitor information and steal passwords.
Then go silent again.
Until a few days later, when the encryption malware is loaded into the organization and executed across the organization. In the case of the Atlanta attack, two versions of SamSam were loaded on in case one was detected by security software.
Unfortunately, this kind of ‘random’ activity can be difficult to track which is why it’s important to have a great SIEM being monitored by a skilled security operations team working together to identify and catch these aberrant events before they become incidents.
Protecting Your People & Your System
SamSam, like many other kinds of attacks, is made easier when lax security controls are in place. For instance, permitting weak passwords (and not rotating them), not using two-factor authentication, and not investing in user education training are ways to inadvertently expose your network to vulnerabilities.
Additionally, the US Department of Homeland Security suggests organizations:
- Audit your network for systems that use Remote Desktop Protocols (RDP) for remote communication and disabling if possible.
- Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389 unless there is a valid business reason to keep open RDP ports. Secure any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
- Enable strong passwords and account lockout policies to defend against brute force attacks.
- Use two-factor authentication.
- Regularly apply system and software updates.
- Maintain a good back-up strategy.
- Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
- When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
- Ensure that third parties that require RDP access follow internal policies on remote access.
- Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
- Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
- Restrict users’ ability (permissions) to install and run unwanted software applications.
- Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
- Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Additionally, you want to make sure you’ve got good anti-virus protection on your machines, as well as backups of important data. While not a complete ‘security strategy,’ having backups can help reduce the cost of the attack.
Finally, you want to make sure you’re using a SIEM to monitor for abnormal events on your network, so that your security operations team can alert you to any potential threats – before they occur.