• Quikteks Blog
• December 21, 2018

Bad Rabbit

The funny thing about ransomware is that they have some very strange names: Bad Rabbit sounds like the name of the villainous bunny from the Beatrix Potter children’s story, not the malware that ravaged hundreds of European businesses. The latest in a long line of funny-named ransomware, SamSam, is one of the worst ransomware strains ever launched and has caught the attention of U.S. Federal law enforcement.

Federal Alerts Issued

Both the FBI and the Department of Homeland Security have issued alerts for the ransomware, also known as MSIL/Samas.A. An alert was issued on December 3, 2018, outlining an attack on several industries, some with vital public infrastructure. SamSam also got into the news when two Iranian nationals, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri were indicted by a U.S. grand jury in New Jersey for ransomware attacks on the Colorado Department of Transportation.

Mansouri and Savandi

The pair is accused of victimizing over 200 hospitals, businesses, government agencies, and schools in the U.S. and Canada beginning in 2015, extorting over 6 million dollars. The two hackers were also indicted by the state of Georgia for perpetrating the ransomware systems that crippled Atlanta’s government in March of 2018. Prosecutors state that Mansouri and Savandi cost the city millions in consultant fees, downtime, and other costs, by taking almost 3,800 of the City of Atlanta’s computers hostage.

What is SamSam?

SamSam is a privately developed ransomware that is being used to target specific companies selected by the developers. This means that it is a lot harder to combat because isn’t just ransomware that was written to be sold as a service to hackers like many other kinds of malware. None of the typical defensive strategies stop it.

What’s worse, once a SamSam strain is used, and security vendors publish a report, another SamSam strain is developed. Experts suspect that this development team includes the two hackers implicated in the Colorado DoT,the Atlanta crimes, and many more.

What Can You Do?

So far the SamSam ransomware has broken into victims’ networks using web-facing servers. It has been deployed as an executable file that is mistakenly unleashed, via the Remote Desktop Protocol. So, while you can lock down your RDP, your best strategy is to have a dedicated policy that:

• • Prohibits unauthorized users from having administrative privileges.
• • Limits use of Domain Access accounts to administration tasks.
• • Doesn’t provide service accounts for important services.
• • Restricts access to critical systems.

Stay diligent in your organizational cybersecurity practices, and you should be able to avoid ransomware attacks, SamSam or otherwise.
Want to know more about SamSam? Contact the IT professionals at Quikteks. Call (973) 882-4644.