The FBI now calls ransomware attacks a ”billion dollar a year crime.” When the city of Atlanta recently got hit, attackers demanded $6,800 for decrypting files on each infected computer or $51,000 for decryption keys for all the infected computers. A bargain, right? The truth is many victims pay the ransom because it’s often the cheaper and quicker option to get back up and running. Hancock Health got hit in January, and they decided to pay.
“The cost of recovery, versus the ransom itself, required that the incident is viewed with a business perspective – fiscally it made sense to pay,” explained CEO Steve Long.
SamSam attackers know what they are doing. They study their victims, look for weak spots, figure out what they can afford and go for it. However, paying may solve the problem in the short-term, but it is feeding the ransomware marketplace and allowing it to thrive. Erie County Medical Center was attacked in 2017. They stood firm and refused to pay. Full recovery took three months and $10 million. Does it have to be a lose-lose scenario? No. Prevention and preparation are your best defenses.
Consider the best strategies to combat SamSam and other ransomware tactics, including implementing a comprehensive security strategy that includes Microsoft Modern Workplace security and a dedicated partner like Agile IT.
Understand Their Tactics
The best defense is a good offense. Understanding the enemy is the first step. The group behind SamSam are opportunistic. They know just how to aim their arrows to inflict the most damage, making victims feel like paying is the only option. They often bring down critical systems that can’t wait for backups. Who are they targeting and how?
They look primarily at healthcare and government organizations that are vulnerable due to servers that have been left exposed to the Internet. Atlanta is just the most recent in a list of victims. Just this year, SamSam hit the municipality of Farmington, NM in January, as well as two hospitals, Hancock Health and Adams Memorial. David County, North Carolina got hit in February. And, Colorado’s Department of Transportation was infected twice in just eight days. Yes. We said twice.
In 2015, attackers mainly victimized organizations using JBoss. The next year, they expanded to target organizations using single-factor external access, such as RDP, VPN, FTP platforms and Microsoft’s IIS. The City of Atlanta had several possible entry points, including VPN gateways, FTP servers, and IIS installations. Additionally, their servers had SMBv1 enabled, giving attackers an in through EternalBlue. EternalBlue is the name given to a specific vulnerability in MS Window’s operating system, specifically the Microsoft Server Message Block 1.0. EternalBlue allows applications to read, write to and request services from files within the same network, facilitating the spread of the ransomware. Microsoft issued a security update in March 2017. Organizations that did not update were left vulnerable.
Facts to Know About SamSam
- It’s not spread through spam email. SamSam doesn’t need unsuspecting employees to click on links or email attachments.
- Attackers target exposed servers, ones with weak passwords or stolen credentials. Scanning tools, such as Shodan and Masscan make it easy for attackers to identify vulnerable ports, RDP connections, and other unprotected services.
- Upon entry, attackers let SamSam loose using legitimate system tools, such as Wmic.exe or PsExec.
- SamSam attackers enter quietly, wait, then gather credentials. They work their way through a network manually, encrypting files as they go.
What About Antivirus Software?
SamSam attackers are well-prepared and know how to evade antivirus software. Remember the Colorado Department of Transportation that got hit twice within an eight-day period? The first attack occurred even though they had McAfee antivirus software installed and fully up-to-date on all their computers. McAfee responded immediately with an update directly designed to block the specific strain of SamSam that attacked.
Eight days later SamSam hit again with a new variant of its ransomware. “The tools we have in place didn’t work. It’s ahead of our tools,” explained a spokesperson from the Colorado Office of Information Technology. While antivirus software is a good start, companies must go a step further by implementing technologies that leverage cloud solutions that provide faster and greater strength, such as Windows Defender Advanced Threat Protection (ATP).
Best Protection Practices
Commenting on the Atlanta attack, Wired said, “Ransomware is dumb. Even a sophisticated version like this has to rely on automation to work. Ransomware relies on someone not implementing basic security tenets.” What are the basic security measures that can protect your organization?
Many ransomware attackers use phishing or online scams to trick an unsuspecting employee to click on and run a malicious program. SamSam attackers, however, don’t need to resort to such trickery. SamSam exploits vulnerabilities or weak passwords to gain entry through public-facing systems. As companies, employees and customers become more tech-savvy and reliant on their devices for 24/7 network access, SamSam attackers are exploiting this availability. It’s critical to require employees and clients with accounts to set up strong passwords and to limit the number of attempts allowed to get into the system.
Additionally, multi-factor authentication, especially for VPN and remote services is critical. SamSam specifically targets single-factor authentication paths since they are the easiest to break through. Multi-factor authentication and information protection are both features of Microsoft Enterprise Mobility + Security (Microsoft EMS). In addition, Advanced Threat Analytics provides artificial intelligence that provides real-time alerts when suspicious activity, including logins, takes place. For example, Advanced Threat Analytics can detect “pass the hash,” a popular technique used by SamSam attackers that uses NTLM or LanMan hash to authenticate to a remote server instead of requiring the plaintext password.
Ensure Early Detection
All is not lost just because SamSam attackers gain entry. Once they are in, they typically spend time getting positioned, working their way through the network before they start encrypting machines. SamSam is spread through a manual process. That means experts think there are attackers literally at their keywords, unlike most malware that spreads automatically. That means there is a window of detection if your system is set up to recognize anomalies. It’s easier said than done, however, because attackers often use whitelisted tools and valid credentials, another case for rock-solid passwords. However, could your detection strategy spot if users suddenly start using things they have no valid reason to be using? The quicker SamSam is detected, the less damage is inflicted.
Update and Patch Management
As noted earlier, Microsoft released an update for EternalBlue one year before the Atlanta attack. However, it was discovered their patch was never installed. Have a solid patch management program to ensure there is no lapsed time between a patch’s release and its installment. An IT partner such as Agile IT will ensure that their clients deploy patches as soon as they are available. Additionally, Agile IT can provide Vulnerability Scanning to verify that your systems are configured and protecting you as expected.
The fewer users that have administrative access, the better off you are. The more people with restricted access, the greater access SamSam will have. Ransomware is often designed to use a system administrator account. Decreasing the number of accounts and deleting default system administrator accounts creates one more line of defense. If administrator access is given, stress to users that it is only to be used as needed. Additionally, if it’s only needed temporarily, monitor it and take it back when the time is complete.
Configure Access Controls
Configure access controls to files, directories and network share permissions with the least privilege in mind. That means not automatically giving everyone write access. Many employees only need read access to shared files and networks. Additionally, consider implementing software restriction policies to stop execution in temporary folders. Limiting employee access limits SamSam’s access if they happen to steal credentials. Note that it’s common for companies to lose important data due to poorly securing it and not reviewing it often enough. Avoid this scenario by moving data to SharePoint Online, OneDrive and/or Files on Azure to evaluate and update content, security permissions, and storage policies.
Disable Unnecessary Functionality
If you don’t use SMB, disable it. The same for other servers that provide entry points. The fewer accessible entry points, the better.
Prepare for the Possibility
Even organizations with top-notch security can be vulnerable. A Symantec report had this to say, “[they’re using] advance attack techniques, displaying a level of expertise similar to that seen in many cyber espionage attacks.” What can you do if you are attacked? Preparation is key.
Businesses are put in a tough position because they either don’t have backup files or can’t get to them quickly enough. The availability of copies of your files is the best damage mitigation strategy possible. Killing the ransom Trojans isn’t the hard part. File recovery is what costs the most money and time. The recovery process is further complicated by the fact that ransomware attacks not only encrypt data files but also affect Windows restore points and shadow copies.
Talk About Your Backup Strategy
It’s critical that you have a diversified backup strategy. Backups must be stored on a separate system that is not accessible from a network. Consider having one backup in the cloud and another at a different physical location. Ensure backups are done regularly. Have an automatic process in place for doing so.
A backup strategy must be tested and re-evaluated on a consistent basis. Verify that backups are capturing all critical data and that the restore process works with your current environment. It’s important to note that the backup data may be overwritten with newer versions of the data that is encrypted by ransomware, making the testing and detection phases even more critical.
Keep SamSam at Bay with a Managed IT Service
It’s likely that SamSam attackers select municipalities and healthcare organizations because stakeholders are typically focused on the organization’s immediate needs instead of cyberdefense. Limited resources and budgets further put security in the back seat. The team at Agile IT understand the challenges of IT teams across all business sectors and sizes. Talk to a team member today about how Microsoft EM+S with Agile IT can be part of your security strategy. Agile IT is a cloud-first managed services company and was a four-time Microsoft Cloud Partner of the Year. Contact us today.