An activity alert by the US Department of Homeland Security and the FBI this week warns organizations from multiple industries in critical infrastructures that they are a top target for SamSam ransomware, also known as MSIL/Samas.A, and provides a list of guidelines to help prevent and mitigate these attacks.
SamSam ransomware attacks have become more complex. According to an article in Wired dating August 2018, the group responsible for these attacks made around $300,000 a month, and no one knew who they were.
On November 28, the US Department of Justice accused two Iranians of international computer hacking and extortion using sophisticated ransomware. Located in Iran, they allegedly exploited software bugs in Windows servers to gain unauthorized administrator access and execute SamSam ransomware on hundreds of computers networks in hospitals, municipalities and public institutions, mostly in the US.
“According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications,” reads the alert. “Since mid-2016, FBI analysis of victims’ machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point.”
Victims include the City of Atlanta in Georgia, the City of Newark in New Jersey, the Californian Port of San Diego, the Colorado Department of Transportation, the University of Calgary in Alberta, Canada, and six health care-related entities: Hollywood Presbyterian Medical Center in Los Angeles, California; Kansas Heart Hospital in Wichita, Kansas; Laboratory Corporation of America Holdings, more commonly known as LabCorp, headquartered in Burlington, North Carolina; MedStar Health, headquartered in Columbia, Maryland; Nebraska Orthopedic Hospital now known as OrthoNebraska Hospital, in Omaha, Nebraska, and Allscripts Healthcare Solutions Inc., based in Chicago, Illinois.
The SamSam Ransomware attacks led to more than $30 million in damage. DHS and FBI believe the data stolen was sold on the Dark Web and then used in malicious activity.
If you want to learn more about why companies are still vulnerable to ransomware attacks in 2018, watch our video below.