Exposing SamSam ransomware | IT World Canada News



[ad_1]

Email – either by spam or spear-phishing – is one of the most popular ways of spreading ransomware. This means that stopping can be helped by employee awareness training. However, a new report warns pros informec the person or people behind the strain known as SamSam prefer a practical attack. "Unlike almost all other ransomware attacks, the entire attack process is manual," says the report released this morning. by Sophos about SamSam, also known by other researchers like SamSa and Samas. "No spam spam badly formulated with an attachment … The attacker breaks in an old-fashioned way: using tools that attempt as many connections as the Remote Desktop Protocol (RDP) allows and exploits the vulnerabilities of the system." Not as much as you think SamSam usually succeeds when the victim chooses a weak pbadword that is easy to guess. "

In a previous report, Sophos stated that SamSam was the ransomware that paralyzed Atlanta city, which is still trying to recover. According to a Reuters report last month, the city was informed last month that more than a third of its 424 software had been taken offline or partially disabled during the attack. Almost 30% of the applications concerned are considered "mission-critical", including the police and the courts. The estimated cost of recovery is well in excess of US $ 10 million.

The SamSam attacker "is cautious in target selection and the preparation of attacks is meticulous," says the Sophos report. Once inside, a payload is distributed laterally across the network to as many machines as possible. Among the tools used, Mimicatz collects identification information. Typically, encryption commands are run in the middle of the night or early in the victim's time zone, when most users and administrators are asleep. The targets for encryption are first prioritized, including the application configuration files, and then everything else.

Since its appearance in late 2015, Sophos estimates that ransomware has generated more than $ 5.9 million. While 74% of known victims are based in the United States, others have been affected in Canada, the United Kingdom and the Middle East.

Sophos graphic

When attacks began in 2016, they often exploited vulnerabilities in JBOSS systems to gain the privileges that would allow them to copy ransomware into the network, the report says. However, more and more, the person (s) behind the SamSam attacks is brutal, forcing the vulnerable Windows RDP accounts into large and medium organizations. These could be found by buying vulnerable server lists on the dark web, speculating the report, or performing a search with Shodan or Censys for devices using the default RDP port, port 3389

. privileges to get admin control over as many machines as possible then propagate the ransomware using legitimate Windows network
administration tools such as PsExec or PAExec and stolen credentials.

Infosec pros are not completely defenseless. The attacker seems to have a stock of malware payloads, so if a sample is stopped by an antivirus, the attacker can
quickly switch to a new sample and continue to press the attack .

SamSam is now on version 3, includes a new layer of complexity that makes badysis more difficult by dividing the functions of the ransomware into two files. The attacker, when deploying ransomware, manually provides a pbadword as an argument to a component called "the runner", named after the "runner2.exe" file. This runner includes a decryptor for the payload now separate and encrypted. Over time, the file suffix for this payload has changed, most recently in ".sophos".

The report includes a detailed badysis of the deployment tools and encryption used.

This is not the only report on SamSam. In April, the United States Department of Health and Human Services Health and Safety Integration Center for Cyber ​​Security and Communication also released an badysis.

Infosec Pros should note that those behind SamSam often choose targets that contain sensitive information and may be willing to pay ransom, such as governments, health care providers and universities. However, Sophos notes that the private sector has been affected more often – it's just that victims in the health care, government and education sectors are (up to now) more likely to admit that the stakeholders were victims. This may change as other jurisdictions consider pbading laws on the disclosure of mandatory data breaches.

Every SamSam attack shows a progression in sophistication and a growing awareness of the person or people behind it, notes Sophos. "The cost victims are accused of ransom has increased dramatically, and the pace of attacks shows no signs of slowing down."

What to do? To prevent infections, Sophos rigorously follows best practices for system remediation and network management, limiting the administrative privileges of critical systems to the smallest possible number of accounts and removing possible vulnerabilities, such as open RDP ports. to the outside world. . Real-time monitoring of networks and events can help.

"The only safe way to protect a system against this type of ransomware is to leave it offline, off-line, and preferably off-site or secure." Locked-in storage. "A response and recovery plan for an attack such as SamSam will look more like a plan to deal with a fire in your data center, or a major natural disaster. "


About
  How GDPR Can Be a Strategic Driver for Your Business Sponsor: Micro Focus


How GDPR Can Be a Strategic Driver for Your Business


Register

[ad_2]
Source link