A new ransomware exploiting exposures in RDP


An ransomware named SamSam is different from familiar forms of ransomware. While other versions are emailed to potential victims, SamSam attacks take advantage of RDP access exposures - whether by BRUTE FORCE attacks, or CREDENTIALS purchased on DARK WEB.

After hacking into a non-rugged machine, attackers look for vulnerabilities that they exploit to distribute the code on the organization's internal network before encrypting files.

Once the attackers have a grip on the network they perform the encryption of a significant number of machines and demand a ransom payment in bitcoin in exchange for decryption keys. Payments can reach over $50,000.

SamSam requires higher capabilities from attackers compared to other forms of ransomware, but time and effort pay off for crooks - Sophos researchers analyzed payments made into attackers' bitcoin wallets and found they had already received about $5.9 million.

The immediate conclusion is to reduce the use of RDP and in cases where it is required to perform hardening such as:

  • Allow access only from specific addresses
  • Assign MFA in identification
  • Harden the machine at the operating system level