A new ransomware exploiting exposures in RDP

02/11/2020

An ransomware named SamSam is different from familiar forms of ransomware. While other versions are emailed to potential victims, SamSam attacks take advantage of RDP access exposures - whether by BRUTE FORCE attacks, or CREDENTIALS purchased on DARK WEB.

After hacking into a non-rugged machine, attackers look for vulnerabilities that they exploit to distribute the code on the organization's internal network before encrypting files.

Once the attackers have a grip on the network they perform the encryption of a significant number of machines and demand a ransom payment in bitcoin in exchange for decryption keys. Payments can reach over $50,000.

SamSam requires higher capabilities from attackers compared to other forms of ransomware, but time and effort pay off for crooks - Sophos researchers analyzed payments made into attackers' bitcoin wallets and found they had already received about $5.9 million.

The immediate conclusion is to reduce the use of RDP and in cases where it is required to perform hardening such as:

  • Allow access only from specific addresses
  • Assign MFA in identification
  • Harden the machine at the operating system level