BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    Use Cases and Industries
    See All Products
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

City of Atlanta Cyberattack Shows Why SamSam Continues to Succeed

March 29, 2018

  • Blog
  • Archive

The SamSam ransomware attack is back. And this time the victim was right here in Bomgar’s own backyard – the City of Atlanta. 

According to Atlanta city officials, last week’s attack didn’t impact critical infrastructure. But it did affect some customer-facing applications and internal services. The attackers issued a bitcoin demand of $6,800 per system, or $51,000 to unlock all compromised systems.

And that may be a small price to pay for a hard lesson learned. The ransomware exploit is one of the easiest cyberattacks to defend against. It can be thwarted by a couple of practices almost as old as the computer itself – patches and backups. Most ransomware relies on human gullibility or known, unpatched vulnerabilities to succeed. And when it does succeed, and the victim has no proper backups, the attacker’s extortion tactics often work. 

Why SamSam Succeeds

So, if simple IT processes – backups and patches – can beat ransomware, why is it such a problem for so many? The answer is that overburdened IT departments often don’t have the time and tools to get the basics done right. And, in many cases, they don’t have the motivation.

Security advice is somewhat similar to health advice. Sure, we all know we should exercise regularly and avoid junk food. But many of us ignore this advice as we settle in front of the TV with a bag of potato chips. Similarly, any competent organization knows that they should at least make backups, update systems and run standard perimeter defenses like firewalls.

Still, many organizations don’t and that’s why ransomware succeeds. Ransomware attacks are common because they’re so fruitful. Remember, the bad guys have a business model, and it’s a profitable one. Take the group behind SamSam as an example. According to CSO, to date they have earned nearly $850,000 from their exploits. So you can be sure they’re going to continue their attacks. 

How SamSam Operates

SamSam is a clever variant of the common ransomware. Most ransomware relies on social engineering or phishing to trick users into running a program that infects their system. SamSam is different. It scans the web, using tools that are readily available on the Internet, to locater servers with unpatched software. It then quietly lets itself in through that vulnerability.

If the City of Atlanta situation is like other SamSam attacks we’ve seen, the intruders probably got in through a public facing RDP port, or possibly an SMB port. What normally happens is that one of these ports is opened for a specific purpose – for a remote support session, for instance – and then carelessly left open. The attackers then launch a brute force attack that continuously hits the port with different credentials until one works. That compromised system is now ground zero in the attack. From there the attackers scan the network searching for systems with valuable data. They use remote access tools to get into those critical systems and then deploy the ransomware to lock them down. 

Defending Against SamSam

That’s how it works. So how can you defend against it? It goes back to getting the basics right. Start with this:

  • Turn off RDP and shut that backdoor
  • Use two factor authentication (2FA). Brute force attacks fail when there’s a second layer of security.
  • Perform regular backups to make sure you have copies of your valuable data.
  • Deploy patches and updates immediately to remediate known threats.
  • Use cryptographically complex passwords and change them frequently.

Better yet, invest in automated cybersecurity solutions that can proactively protect your enterprise against today’s advanced cyber threats. At Bomgar, we develop products that secure the access that attackers need to succeed.

Our Privileged Identity Management (PIM) solution automatically and continuously randomizes all the powerful privileged account passwords that grant access to your sensitive systems. It generates unique and complex passwords for each system that are nearly impossible to crack during SamSam brute force attacks. And even if an attacker manages to get hold of a credential, it’s time-limited because the credentials are continuously changing. 

Request Identity Management Demo

Our Privileged Access Management (PAM) solution secures the access pathways between systems that SamSam tries to exploit as it looks for valuable data on your network. 

Request Privileged Access Demo

SamSam is just one of the many modern cyberattacks that our joint PIM/PAM solution can defeat. Regardless of how you proceed, you’d be wise to heed the lesson learned by the City of Atlanta and protect yourself from SamSam. They were lucky not to lose access to their most critical systems and valuable data. Would you be so fortunate? 

Photograph of Sam Elliott

Sam Elliott, Director of Security Product Management

At Bomgar, Sam is responsible for the product management group that is driving product strategy for Bomgar’s security products. He has more than a decade of information security, ITSM, and IT operations management experience. He also is a seasoned expert in the areas of cyber-security, data center discovery, systems configuration management, and ITSM. Sam has a Bachelor of Science from Florida State University and is certified in ITIL v3 and Pragmatic Marketing. He resides in Atlanta, GA with his family and can be found on twitter @samelliott.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Mapping BeyondTrust Solutions to the Identity, Credential, and Access Management (ICAM) Architecture

Whitepapers

Four Key Ways Governments Can Prepare for the Growing Ransomware Threat

Whitepapers

The Operational Technology (OT) Remote Access Challenge

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.