Q
Manage Learn to apply best practices and optimize your operations.

SamSam ransomware: How can enterprises prevent an attack?

SamSam ransomware infected the Colorado DOT after hitting hospitals, city councils and companies. Learn how this version differs from those we've seen in the past.

After attacking hospitals, city councils, companies and other organizations since 2016, SamSam ransomware recently...

infected the Colorado Department of Transportation. How does this version of SamSam ransomware differ from those we've seen in the past? How can an enterprise prevent such an attack from occurring?

In recent months, ransomware attacks have continued to increase in prevalence, and most of the attacks have been automated and delivered via phishing or compromised websites. However, recent research shows that SamSam ransomware attacks are particularly devastating in part because they appear to be spread by direct, active hacking rather than by phishing or other automated mechanisms.

In January, the Colorado Department of Transportation (DOT) was infected with SamSam ransomware. Like other SamSam attacks, this attack was a manual attack where the attacker used SamSam ransomware to monetize their access.

Recent research has found that the SamSam ransomware appears to be deployed after an attacker exploits well-known vulnerabilities on systems exposed to the internet -- including flaws in the Remote Desktop Protocol (RDP) or a vulnerability in JBoss middleware -- to gain access to the chosen victim network. Once attackers have access, they used the Windows Cryptography API and a symmetric encryption algorithm key -- Rijndael -- which is randomly generated on the compromised system, to encrypt the files. The attacker then deletes the backups and wipes the free space to make recovery more difficult.

In the Colorado DOT attack, the attacker appears to have brute-forced an RDP connection and compromised other systems on the network from that initial access. SamSam attackers often target networks that expose RDP servers to the internet, and enterprises must stop attackers from accessing their systems by defending their network assets from any intrusion before working to defend against the ransomware, in this case by first shutting down the RDP servers exposed to the public internet.

Because known vulnerabilities have been used, a vulnerability management program should address these issues to protect systems exposed to the internet as soon as possible. IT can also slow the attack down using brute-force monitoring of failed logins and by locking accounts after a specified number of failed logins.

After the SamSam attack on the Colorado DOT, the state did not pay the ransom and used backups to restore the systems.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in August 2018

Dig Deeper on Emerging cyberattacks and threats

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How can enterprises like the Colorado DOT avoid falling victim to attacks?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close