This advisory is published by
 |
| Samsam Ransomware Advisory 2018 |
Samsam Ransomware Attack by Mycert Alert
1.0 Brief Description
Samsam is a type of Ransomware which infects computing platform, restricts users’ access and encrypt files on the infected platform. An amount of ransom payment is needed in order to regain access to system and files. Once the ransomware infected a system, it will most probably scan and infect other vulnerable systems within the same network.
Ransomware usually exploits known or 0-day (unknown and unpatched) vulnerabilities in operating systems to assume total control of the computer. They usually operate by restricting access to critical files and information on a system (or a network of systems) by encrypting them and then demanding payment for a decryption key to enable the files to be accessed again.
3.0 Impact
• Files on the infected computer are usually encrypted and the owner is unable to access it until a ransom is paid.
For example, some ransomware request this such ransom amount:
o 1.7 Bitcoin (USD4,600) for a single machine
o 6 Bitcoins (USD16,400) for half the machines (allowing the victim to confirm they can recover their files)
o 12 Bitcoins (USD32,800) for all the machines
• Individuals and organizations are discouraged from paying the ransom, as this does not guarantee access will be restored.
4.0 Affected Product
• Insecure Windows RDP accounts
• Unpatched Windows OS and applications
• Unpatched Java-based web servers
• Unpatched FTP servers
5.0 Recommendations
• Follow a strict patching protocol of both operating systems and all the applications that
run on them.
• Complete, regular vulnerability scans and penetration tests across the network.
• Perform periodic assessments, using third-party tools like Censys or Shodan, to identify
publicly-accessible services and ports across your public-facing IP address space, then
close them.
• Restrict access to port 3389 (RDP) by only allowing staff who use a VPN to be able to
remotely access any systems. Restrict VPN access to specific IP addresses, ranges, or
geographies that your organization wishes to allow remote access.
• Require the use of multi-factor authentication for sensitive internal systems, even for
employees on the LAN or VPN.
• Improve password policies: Encourage employees to use secure password managers,
longer passphrases and the non-reuse of passwords for multiple accounts - How to
pick a proper password.
• Improve account access controls: Enact sensible policies to secure idle accounts;
automatically lock accounts and alert IT staff after a number of failed login attempts.
• Real-time monitoring with a goal of identifying and, if necessary, locking down unusual
account activity quickly. Perform drills and improve the response time of the IT staff in
charge of this task
• Educate staff about security risks by running regular phishing tests.
• Backup & implement backup policy.
• Report any incidents of ransomware to relevant parties for assistance.
Generally, MyCERT advises internet users to be updated with the latest security announcements by the authority and follow best practice security policies to prevent and mitigate the threat.
6.0 References
• https://www.alienvault.com/blogs/labs-research/samsam-ransomware-targeted-attacks-continue
• https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf?cmp=26061
• https://www.mycert.org.my/en/services/advisories/mycert/2017/main/detail/1263/index.html
• https://blog.avast.com/ransomware-attacks-via-rdp
• https://www.bleepingcomputer.com/news/security/ic3-issues-alert-regarding-remote-desktop-protocol-rdp-attacks/
• https://www.business-standard.com/article/technology/wannacry-s-origin-modus-operandi-impact-safe-cyber-practices-explained-117053100291_1.html
• https://blog.malwarebytes.com/cybercrime/2018/05/samsam-ransomware-need-know/
source
0 Komentar untuk "Samsam Ransomware Advisory by MYCERT 2018"