New Sleeper Strain of SamSam Ransomware Bypasses AV And Stays Hidden On Your Network
The ransomware strain that crippled several cities and school districts in the U.S. earlier this year is back with more tricks up its sleeve to avoid detection.
If you haven’t heard of SamSam, you haven’t been paying attention. Just one example of the kind of destruction they can cause is the recent attack on the Colorado Department of Transportation which caused downtime for 2,000+ systems.
This new SamSam strain adds a human element to its already devious mix of evasive techniques to keep antivirus, endpoint, and even more advanced security software from detecting it.
SamSam avoids being discovered using sophisticated methods of constructing its payload and how it executes. In their recent blog, endpoint protection company Malwarebytes provides a detailed technical explanation of how this new variant of SamSam works.
Your Executive Summary
Your executive summary is that basically this SamSam strain avoids detection using three advanced techniques.
- It decrypts the payload only at run-time, making it nearly impossible to identify and analyze.
- It’s loader, payload, and logs are wiped, leaving very few traces behind for any forensics or scanning tools.
- It requires a password to be entered by the threat actor to run in the first place.
It’s that last part of the attack that makes this latest strain so dangerous. Unlike most ransomware strains which are designed to spread automatically, this new strain of SamSam is designed for targeted attacks.
By requiring a password, the payload remains encrypted (and, therefore, an absolute secret), only woken up when and where the bad guys choose to unleash it in your network, all at the same moment to create the biggest impact and damage.
Do You Want The Good News Or The Bad News?
The good news is that, should users accidentally download this strain of ransomware, or your network is compromised via an RDP brute-force attack, the payload is harmless without the password to run it. The bad news is, should the SamSam gang decide that your organization is next up to be extorted, all your users will be sitting on their hands for possibly weeks if your backups fail.
The Two Problems: Open RDP Ports And Social Engineering
Gangs like SamSam and Crysis use two main attack vectors to get in. RDP ports and social engineering your users, normally through email attachments. Let's take a look at RDP first.
A typical RDP attack goes through the following steps: An attacker picks targets with RDP ports available online and identifies if the computer is assigned to an enterprise network. Alternatively, he can always buy access to previously hacked RDP servers, via marketplaces like xDedic.
They try to brute-force the RDP connection, and once the system is accessed they return multiple times to quickly compromise the machine. These repeated attempts are generally successful in a matter of minutes.
Once they gain access the attacker goes lateral in the network and infects critical machines, but does not get the ransomware code executed... yet.
Social Engineering Your Users
Recent research shows that between 10.5% and 15% of malicious email makes it through the filters. This gap analysis is the best proof that you should train your end users and create an additional security layer that you could call your Human Firewall.
Five Things You Can Do About This Right Away:
When is the last time you tested the restore function of your backups? You want to do that ASAP, and make sure you have weapons-grade backups at all times.
Scan your network to identify any open RDP ports and ideally disable RDP completely on all Windows machines if possible. By default, the server listens on TCP port 3389 and UDP port 3389.
Best practice to protect a network from a brute force RDP attack is to apply strong RDP security settings, including limiting or disabling access to shared folders and clipboards from remote locations.
An RDP brute force approach does open the attacker’s information to the targeted network, so automate the process of parsing the Windows Event Viewer logs, find any compromised user accounts, identify the IP address of the attacker and block that.
Do a no-charge Phishing Security Test and find out what percentage of your users is Phish-prone. Use that percentage as a catalyst to start a new-school security awareness training program, which—by survey—your users are actually going to appreciate because it helps them stay safe on the internet at the house.
Let's stay safe out there.
Founder and CEO,
JaredBusch last edited by