The SamSam ransomware attack is back. And this time the victim was right here in Bomgar’s own backyard – the City of Atlanta.
According to Atlanta city officials, last week’s attack didn’t impact critical infrastructure. But it did affect some customer-facing applications and internal services. The attackers issued a bitcoin demand of $6,800 per system, or $51,000 to unlock all compromised systems.
And that may be a small price to pay for a hard lesson learned. The ransomware exploit is one of the easiest cyberattacks to defend against. It can be thwarted by a couple of practices almost as old as the computer itself – patches and backups. Most ransomware relies on human gullibility or known, unpatched vulnerabilities to succeed. And when it does succeed, and the victim has no proper backups, the attacker’s extortion tactics often work.
Why SamSam Succeeds
So, if simple IT processes – backups and patches – can beat ransomware, why is it such a problem for so many? The answer is that overburdened IT departments often don’t have the time and tools to get the basics done right. And, in many cases, they don’t have the motivation.
Security advice is somewhat similar to health advice. Sure, we all know we should exercise regularly and avoid junk food. But many of us ignore this advice as we settle in front of the TV with a bag of potato chips. Similarly, any competent organization knows that they should at least make backups, update systems and run standard perimeter defenses like firewalls.
Still, many organizations don’t and that’s why ransomware succeeds. Ransomware attacks are common because they’re so fruitful. Remember, the bad guys have a business model, and it’s a profitable one. Take the group behind SamSam as an example. According to CSO, to date they have earned nearly $850,000 from their exploits. So you can be sure they’re going to continue their attacks.
How SamSam Operates
SamSam is a clever variant of the common ransomware. Most ransomware relies on social engineering or phishing to trick users into running a program that infects their system. SamSam is different. It scans the web, using tools that are readily available on the Internet, to locater servers with unpatched software. It then quietly lets itself in through that vulnerability.
If the City of Atlanta situation is like other SamSam attacks we’ve seen, the intruders probably got in through a public facing RDP port, or possibly an SMB port. What normally happens is that one of these ports is opened for a specific purpose – for a remote support session, for instance – and then carelessly left open. The attackers then launch a brute force attack that continuously hits the port with different credentials until one works. That compromised system is now ground zero in the attack. From there the attackers scan the network searching for systems with valuable data. They use remote access tools to get into those critical systems and then deploy the ransomware to lock them down.
Defending Against SamSam
That’s how it works. So how can you defend against it? It goes back to getting the basics right. Start with this:
- Turn off RDP and shut that backdoor
- Use two factor authentication (2FA). Brute force attacks fail when there’s a second layer of security.
- Perform regular backups to make sure you have copies of your valuable data.
- Deploy patches and updates immediately to remediate known threats.
- Use cryptographically complex passwords and change them frequently.
Better yet, invest in automated cybersecurity solutions that can proactively protect your enterprise against today’s advanced cyber threats. At Bomgar, we develop products that secure the access that attackers need to succeed.
Our Privileged Identity Management (PIM) solution automatically and continuously randomizes all the powerful privileged account passwords that grant access to your sensitive systems. It generates unique and complex passwords for each system that are nearly impossible to crack during SamSam brute force attacks. And even if an attacker manages to get hold of a credential, it’s time-limited because the credentials are continuously changing.
Our Privileged Access Management (PAM) solution secures the access pathways between systems that SamSam tries to exploit as it looks for valuable data on your network.
SamSam is just one of the many modern cyberattacks that our joint PIM/PAM solution can defeat. Regardless of how you proceed, you’d be wise to heed the lesson learned by the City of Atlanta and protect yourself from SamSam. They were lucky not to lose access to their most critical systems and valuable data. Would you be so fortunate?
Sam Elliott, Director of Security Product Management
At Bomgar, Sam is responsible for the product management group that is driving product strategy for Bomgar’s security products. He has more than a decade of information security, ITSM, and IT operations management experience. He also is a seasoned expert in the areas of cyber-security, data center discovery, systems configuration management, and ITSM. Sam has a Bachelor of Science from Florida State University and is certified in ITIL v3 and Pragmatic Marketing. He resides in Atlanta, GA with his family and can be found on twitter @samelliott.