A strain of ransomware called SamSam was released towards the end of 2015 and continues to pose a serious threat to organizations of all sizes.
Unlike other forms of ransomware, SamSam is very targeted and frequently updated in order to circumvent anti-virus tools and endpoint protection solutions. SamSam is even able to delete backups – one of our primary safeguards against ransomware attacks. Victims are requested to pay the ransom in Bitcoin, and evidence suggests that the victims will get their files restored after payment is made.
According to Health IT Security, “Healthcare Makes Up One-Quarter of SamSam Ransomware Attacks”. However, governments, schools, and private companies are also targeted. The SamSam group started off by exploiting vulnerabilities in an application server called JBoss; however, the group now targets other technologies such as Microsoft’s IIS, FTP, RDP and VPN solutions.
Most SamSam attacks on the healthcare sector are executed using RDP (Remote Desktop Protocol) as their main entry point. Once the attackers have bypassed perimeter defences, they will seek to elevate their privileges in order to lock down as much of the target network as they can. So, what can hospitals do protect themselves from these sorts of attacks?
Detect Unauthorized Use of System Tools
Naturally, the faster you can detect and respond to signs of a ransomware attack, the greater your chances will be to minimize the damage it may cause. The SamSam attack will seek to leverage a number of tools such as Mimikatz, PsExec, NLBrute, CSVDE and more. Being able to identify any unauthorised use of these tools will enable faster detection and response. However, the SamSam group has been known to use whitelisted tools and valid credentials in order to bypass perimeter defences.
Anti-virus & Endpoint Protection
While it is true that firewalls and anti-virus solutions are not as effective as they used to be, they are still a necessary part of any organization’s defence strategy. SamSam will continue to evolve in order to side-step perimeter security, as such, you will need to ensure that all endpoint protection solutions are carefully configured and used to their maximum capabilities, which includes any cloud-based solutions you are using.
As mentioned, the SamSam group will seek to exploit vulnerabilities in a number of different application servers and communication protocols. You will need a solid patch management program that ensures that all software is patched in timely manner.
Access Controls & Least Privilege
Healthcare organizations will need to focus their attention on restricting access to any files, folders and applications, that could be leveraged by the attacker, and users should only be granted the permissions necessary for them to adequately carry out their role. Once access controls have been setup, organizations will need to monitor these controls in real-time using a ransomware detection and prevention solution. Most ransomware detection solutions also provide a feature known as “threshold alerting,” which can detect and respond to events that match a pre-defined threshold condition, such as the bulk encryption of files.
In addition to restricting access to certain parts of the network, organizations should disable any programs that are not essential to core operations. For example, any file sharing or remote access protocols that are not needed to should be disabled.
Systems that uses single-factor authentication continue to get breached. Multi-factor authentication should be used to make it harder for attackers to brute-force their way into your network, particularly for solutions that enable remote access, such as a VPN solutions or RDP. Likewise, a ransomware detection solution will provide automated tools which can remind users to reset their passwords, as well detect and respond to suspicious failed login attempts.