The funny thing about ransomware is that they have some very strange names: Bad Rabbit sounds like the name of the villainous bunny from the Beatrix Potter children’s story, not the malware that ravaged hundreds of European businesses. The latest in a long line of funny-named ransomware, SamSam, is one of the worst ransomware strains ever launched and has caught the attention of U.S. Federal law enforcement.
Both the FBI and the Department of Homeland Security have issued alerts for the ransomware, also known as MSIL/Samas.A. An alert was issued on December 3, 2018, outlining an attack on several industries, some with vital public infrastructure. SamSam also got into the news when two Iranian nationals, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri were indicted by a U.S. grand jury in New Jersey for ransomware attacks on the Colorado Department of Transportation.
The pair is accused of victimizing over 200 hospitals, businesses, government agencies, and schools in the U.S. and Canada beginning in 2015, extorting over 6 million dollars. The two hackers were also indicted by the state of Georgia for perpetrating the ransomware systems that crippled Atlanta’s government in March of 2018. Prosecutors state that Mansouri and Savandi cost the city millions in consultant fees, downtime, and other costs, by taking almost 3,800 of the City of Atlanta’s computers hostage.
SamSam is a privately developed ransomware that is being used to target specific companies selected by the developers. This means that it is a lot harder to combat because isn’t just ransomware that was written to be sold as a service to hackers like many other kinds of malware. None of the typical defensive strategies stop it.
What’s worse, once a SamSam strain is used, and security vendors publish a report, another SamSam strain is developed. Experts suspect that this development team includes the two hackers implicated in the Colorado DoT,the Atlanta crimes, and many more.
So far the SamSam ransomware has broken into victims’ networks using web-facing servers. It has been deployed as an executable file that is mistakenly unleashed, via the Remote Desktop Protocol. So, while you can lock down your RDP, your best strategy is to have a dedicated policy that:
Stay diligent in your organizational cybersecurity practices, and you should be able to avoid ransomware attacks, SamSam or otherwise.
Want to know more about SamSam? Contact the IT professionals at Quikteks. Call (973) 882-4644.