SamSam Ransomware: The Enemy of Weak Passwords
In recent years ransomware attacks have become a rampant threat. 2017 saw some of the most destructive waves of ransomware attacks across the world. The most notable of these attacks was the WannaCry outbreak in May, which infected hundreds of thousands of computers in more than 150 countries in the span of a few days.
A month later, the NotPetya ransomware hit tens of thousands of other victims, using methods similar to that of WannaCry. The victims were hospitals, transportation systems, government institutions, companies and individuals.
But WannaCry and NotPetya aren’t the only ransomware attacks that have happened in recent years. Other sporadic attacks took place that were less highlighted by the media. One of the breeds of ransomware viruses that has remained a constant threat since it first surfaced in 2015 is SamSam, a type of ransomware trojan that is used in targeted attacks.
According to Sophos, SamSam has cost its victims at least of $6 million since 2015. In 2018 alone, SamSam has struck hospitals in Indiana and New Mexico, computers in the Colorado Department of Transportation (CDT), and the Atlanta municipality.
While not as widespread as the WannaCry and NotPetya outbreaks, SamSam is no less destructive, and it can be a costly threat lurking for your organization unless you know how to counter it.
A quick primer on ransomware
Ransomware Trojans are malware that locks out users from their computers and keeps them locked out until they pay the attackers. Older types of ransomware locked computer login screens or startup firmware and could be overcome with reboots of the reinstallation of software or firmware.
In recent years, Crypto-ransomware viruses have become the most popular brand of the virus and the term is being used interchangeably with ransomware itself. Once crypto-ransomware finds its way into a computer, it starts to encrypt the files in the hard drive and prevents the computer’s owner from accessing them.
The virus uses public/private key (or asymmetric) encryption. The files are encrypted with the public key and can only be decrypted and accessed with the private key. To obtain the private key, the victim has to send a ransom to the attackers. Most ransomware viruses use bitcoin and other cryptocurrencies as a method of payment because it’s pseudonymous and it’s easier for them to wipe their traces and launder their ill-received loot.
Crypto-ransomware is very dangerous, and once you fall victim to the virus, the only way to regain access to your files short of paying the attackers is to restore backups. If you don’t have backups, you’re doomed.
The ransom amount that attackers ask for ranges between a few hundred to several dozen thousand dollars. When SamSam hit the City of Atlanta, the attackers set the price at 0.8 BTC per machine (approx. $6,800) or 4.5 BTC (approx. $51,000) for all the computers it had infected.
But the hidden costs of ransomware trojans such as SamSam is the disruption of service and business they cause. Victims usually delay payment because it’s still hard to purchase cryptocurrencies if you don’t already have a setup wallet. Sometimes it takes several days to get confirmation for your account. Also, even if the victim pays up and receives the keys or already has backups of its files, they have to spend hours and days to restore files, remove infections, patch security holes and return operations to its previous state. In the Atlanta case, the total damages cost the city $17 million.
What makes SamSam different?
One of the most important aspects of ransomware attacks is their method of delivery. The WannaCry and NotPetya ransomware, which made the headlines last year, were initially delivered through phishing emails and infected software updates, and then used a vulnerability in the Windows SMB service to propagate across corporate networks.
The SamSam ransomware uses a different but very simple trick to enter corporate networks: weak passwords. The virus uses a brute force attack to guess the password of different services on network computers, such as the Remote Desktop Protocol (RDP), Java-based web servers and File Transfer Protocol (FTP). Once it obtains access to the target device, it delivers its payload and starts its destructive encryption.
Unfortunately, countless studies, articles, TV shows and educational programs have not succeeded in pushing users into adopting secure password habits. Recent studies still show that the most used passwords are simple strings such as “123456” and “password.”
The reality is that maintaining complex, lengthy and secure passwords puts a huge burden on users, especially when they have to manage dozens of online accounts. There’s only so much the human mind can memorize.
How to protect your organization against SamSam
Like any other ransomware threat, protection against SamSam requires a multi-layered approach to prevent infection in your network at different levels. Some of the known measures include the following:
- Keep your antivirus up to date: An updated antimalware solution usually detects and stops most ransomware viruses—but not all of them. Virus developers are always creating new kinds and variations of their malware to bypass antimalware solutions, which means there are always a number of undiscovered viruses on the loose.
- Keep your software and operating systems up to date: Updating your operating system and server software prevents attackers from exploiting security flaws to distribute ransomware into your network.
- Keep backups of your important files: Your last line of defense against ransomware is to keep backups of the very files it will encrypt. This will help you avoid paying the ransom. Make sure to keep the backups offline or on separate networks, or else they’ll end up being encrypted like the rest of your files.
The need for passwordless authentication
While the abovementioned measures will prove effective against most breeds of ransomware, let’s not forget that SamSam uses legitimate channels to enter and distribute through networks. The only way to prevent it from reaching your network is to remove weak passwords—or better yet, remove passwords altogether.
Passwordless authentication technologies do away with one of the weakest links in account security. Without burdening the user with the task of creating and memorizing a secure password, you’ll make sure that your users get better security and a friendlier experience while also closing the way for brute force and dictionary attacks into your user accounts.
As the war against ransomware continues, we need every defensive measure we can find.