An ransomware named SamSam is different from familiar forms of ransomware. While other versions are emailed to potential victims, SamSam attacks take advantage of RDP access exposures - whether by BRUTE FORCE attacks, or CREDENTIALS purchased on DARK WEB.
After hacking into a non-rugged machine, attackers look for vulnerabilities that they exploit to distribute the code on the organization's internal network before encrypting files.
Once the attackers have a grip on the network they perform the encryption of a significant number of machines and demand a ransom payment in bitcoin in exchange for decryption keys. Payments can reach over $50,000.
SamSam requires higher capabilities from attackers compared to other forms of ransomware, but time and effort pay off for crooks - Sophos researchers analyzed payments made into attackers' bitcoin wallets and found they had already received about $5.9 million.
The immediate conclusion is to reduce the use of RDP and in cases where it is required to perform hardening such as:
- Allow access only from specific addresses
- Assign MFA in identification
- Harden the machine at the operating system level