SamSam Ransomware: What To Do If You’re Infected

Tetra Defense looks back at some ransomware strains we’ve seen as the past oftentimes informs the present. Learn how SamSam Ransomware operated to stay updated on possible future strains. 

What is SamSam Ransomware?

The SamSam strain of ransomware is one of the most severe malware strains to hit businesses in the United States in recent years. Estimates suggest that around 74% of SamSam victims have been US companies. The impact of SamSam Ransomware has been so severe that the US Department of Homeland Security issued advisory guidelines and detailed information about how to react to the outbreak.

SamSam, also known as MSIL/Samas.A, was first created in late 2015 by two Iranian co-conspirators who later faced federal indictment in the US for their ransomware activities. SamSam has undergone numerous revisions between 2016 and 2020. Cybersecurity experts believe that the attackers’ primary motive was to bring down entire corporate networks to force payment of ransom. According to a report by Sophos, SamSam had earned its creator(s) more than $5.9 million USD as of 2018.

How Does SamSam Ransomware Work?

SamSam’s primary target was businesses that operate JBoss enterprise applications. JBoss is an extensively used Java middleware application that powers website applications. JBoss servers are typically directly connected to a database backend (such as MySQL), and a web server frontend  (such as Apache or IIS).

A significant component of the SamSam ransomware life cycle was the purchase of compromised RDP credentials on the dark web by the threat actors. These credentials originated from botnets that harvested credentials after targeting weak, public-facing RDP connections. Once breached, the JexBoss Exploit kit is executed and attacks Administrator accounts. Once these accounts are compromised, the entire corporate network is at risk if not properly segmented.

The FBI analyzed known SamSam victim’s network access logs, revealing that the SamSam actors were infecting a victim’s network within hours of purchasing “botnet” harvested credentials online. Before the SamSam ransomware infection, several victims identified suspicious activity on their systems. This activity is a possible indicator of when the theft of the victims’ credentials happened.

After compromising a Windows Server administrator account, the attacker used standard Windows administration tools to laterally navigate the network, looking for high-value server targets, including database, Active Directory, and web servers. Unlike many other forms of ransomware, a SamSam infection is primarily a manual process. In each instance, the attackers appear to have invested a lot of time into the breach. The malware payload was often delivered outside of business hours to give the attacker more time.

Unlike some other variants of ransomware, SamSam targeted application configuration files in addition to the standard targets of documents, photos, and personal data. This attack methodology breaks applications (such as Microsoft Office), resulting in additional pain points when attempting to restore from backup. In the majority of cases, a complete system rebuild is necessary to recover affected servers.

How Do I Prevent SamSam Ransomware?

Prevention of ransomware like SamSam is possible by observing several security best practices.  Evidence gathered after SamSam ransomware attacks reveals that breached servers were nearly always protected by weak, guessable passwords.

The best way to prevent this exploit is to conduct a thorough review of all available RDP connections. Brute force RDP exploits are nothing new, and in fact, RDP exploits are one of the most common methods of ransomware delivery. Because of this, the FBI has published guidelines to help stay on top of RDP vulnerabilities.

These guidelines include reviewing all public facing servers and ensuring the configuration of strong passwords by default, as well as making sure that Remote Desktop Protocol (RDP) connections are not left unprotected in error. Best practices are to block RDP on port 3389 by default on a perimeter firewall, and only use RDP if necessary (and then with multi-factor authentication).

If provisioned on the public cloud, configure the targeted server with strict access controls to ensure that IP access is restricted to predefined IP addresses only. Drop all other port 3389 requests at the firewall level. Protect any servers that require RDP access by using multi-factor authentication (MFA).

System administrators must maintain up-to-date antivirus signatures and engines on all servers, as well as keep operating system security patches up to date. Completing regular vulnerability scans and pen tests across the network will help significantly in preparing yourself for a ransomware attack.

Educating employees on the threat of ransomware and malware is an excellent way to enhance any organization’s security posture. Not all employees are computer experts, and restricting users’ permissions to install and run unwanted software applications will only offer limited help. Training empowers users to know what to look out for, such as exercising caution when opening email attachments or providing confidential security details over the phone.

How Do I Get Rid of SamSam Ransomware?

Unfortunately, as there is no publicly available decryptor for SamSam, and the only options are to pay the ransom and hope you get your files back or to restore systems from a backup.

Tetra Defense never recommends paying a ransom unless it is the last resort. If you are in the untenable position of not having a backup to restore from, and you urgently need your files back, we recommend you contact the incident response experts at Tetra Defense.

Tetra Defense prioritizes restoration to get businesses back to where they were before the ransomware attack. We approach ransomware restoration and investigations simultaneously, so you return to normal operations at the same time you are getting answers.

Our teams are standing by to focus on what matters most: your business. We will survey the ransomware outbreak and perform an initial assessment; this will identify the best course of action to take in to recover your files and secure your network. If deemed necessary, we can conduct ransom negotiation and can facilitate ransom payment.

We remove the threat from your system and conduct malware scans and network threat hunting. At Tetra, we leverage each incident to learn from the ransomware attack and discover the root cause. Once Tetra obtains the decryption keys, we decrypt the data and get systems restored to full functionality as quickly as possible.

Example of SamSam Ransom Note

Get Help with SamSam Ransomware

If you’re ready to get help removing SamSam ransomware from your critical systems, contact Tetra Defense’s incident response team today. We will reach out for an assessment and build a plan to get your network up and running once again.

Check out some related content on our blog: