Andrea Danti - Fotolia

SamSam ransomware: How can enterprises prevent an attack?

SamSam ransomware infected the Colorado DOT after hitting hospitals, city councils and companies. Learn how this version differs from those we've seen in the past.

After attacking hospitals, city councils, companies and other organizations since 2016, SamSam ransomware recently infected the Colorado Department of Transportation. How does this version of SamSam ransomware differ from those we've seen in the past? How can an enterprise prevent such an attack from occurring?

In recent months, ransomware attacks have continued to increase in prevalence, and most of the attacks have been automated and delivered via phishing or compromised websites. However, recent research shows that SamSam ransomware attacks are particularly devastating in part because they appear to be spread by direct, active hacking rather than by phishing or other automated mechanisms.

In January, the Colorado Department of Transportation (DOT) was infected with SamSam ransomware. Like other SamSam attacks, this attack was a manual attack where the attacker used SamSam ransomware to monetize their access.

Recent research has found that the SamSam ransomware appears to be deployed after an attacker exploits well-known vulnerabilities on systems exposed to the internet -- including flaws in the Remote Desktop Protocol (RDP) or a vulnerability in JBoss middleware -- to gain access to the chosen victim network. Once attackers have access, they used the Windows Cryptography API and a symmetric encryption algorithm key -- Rijndael -- which is randomly generated on the compromised system, to encrypt the files. The attacker then deletes the backups and wipes the free space to make recovery more difficult.

In the Colorado DOT attack, the attacker appears to have brute-forced an RDP connection and compromised other systems on the network from that initial access. SamSam attackers often target networks that expose RDP servers to the internet, and enterprises must stop attackers from accessing their systems by defending their network assets from any intrusion before working to defend against the ransomware, in this case by first shutting down the RDP servers exposed to the public internet.

Because known vulnerabilities have been used, a vulnerability management program should address these issues to protect systems exposed to the internet as soon as possible. IT can also slow the attack down using brute-force monitoring of failed logins and by locking accounts after a specified number of failed logins.

After the SamSam attack on the Colorado DOT, the state did not pay the ransom and used backups to restore the systems.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities