Ransomware SamSam now sets eyes on India
● SamSam is an encryption tool, that renders work data files unusable. ● It is unique as it is manual and as a result, attackers can employ countermeasures to escape several security tools.
Sophos has released an indepth investigative white paper on the SamSam ransomware attacks that first appeared in December 2015. Unlike most ransomware, SamSam is a thorough encryption tool, rendering not only work data files unusable but any program that is not essential to the operation of a Windows computer, most of which are not routinely backed up. SamSam’s attacking method unique as it is manual and as a result, attackers can employ countermeasures ( if needed) to evade many security tools. If the process of encrypting data is interrupted, the malware is capable of comprehensively erasing all trace of itself immediately, hindering any investigation. Furthermore, recovery from the attack may require reimaging and/ or reinstall the software as well as restore backups. As a result, many victims were not able to recover sufficiently or quickly enough to ensure business continuity and had to pay the ransom.
According to Peter Mackenzie, Global Malware Escalations Manager at Sophos, “Most ransomware is spread in large, noisy and untargeted spam campaigns using simple techniques to infect victims and demand relatively small sums in ransom. What sets SamSam apart is that it’s a targeted attack tailored to cause maximum damage and ransom demands are measured in the tens of thousands of dollars. The attack method is surprisingly manual, and more cat burglar than smashandgrab. As a result, the attacker can employ countermeasures to evade security tools and if interrupted can delete all trace of itself immediately, to hinder the investigation.”
Mackenzie added, “SamSam is a reminder to businesses that they need to actively manage their security strategy. By deploying a defence- indepth approach, they can ensure their network is less visible and open to attack to avoid being the low hanging fruit the hacker is searching for. We recommend IT managers follow security best practices, including hardtocrack passwords and rigorous patching.” SamSam’s relentless attack methodology combined with the growth in Ransomware- as- a- Service and the anticipation of the ever- evolving threat landscape, emphasises the need for a layered and synchronised cybersecurity approach for businesses of all sizes.
Intrusions from exploits have been persistent and are still a prominent
threat to businesses and often go undetected for months. Once inside a system, cybercriminals use complex malware that can hide in memory or camouflage itself. In many cases, businesses do not know they’ve been breached until someone finds a large cache of stolen data on the Dark Web.
“Our recently conducted The State Of Endpoint Security Survey revealed that 90 per cent of the businesses in India have been either hit or expected to hit by ransomware and more than 90 per cent of Indian IT decision makers surveyed, were running up to date endpoint protection at the time of attack, confirming that traditional endpoint security is no longer enough to protect against today’s evolving ransomware threats. This is an attack pattern we’re likely to see an increase in India and it is time for Indian business and individuals to synchronize their cybersecurity posture to defend against such attacks,” concludes Mackenzie.
Sophos recommends the following top four security measures:
Restrict access to port 3389 ( RDP) by only allowing staff who use a VPN to be able to remotely access any systems. Utilise multi- factor authentication for VPN access.
Complete regular vulnerability scans and penetration tests across the network; if you have not followed through on recent pen- testing reports, do it now.
Activate multi- factor authentication for sensitive internal systems, even for employees on the LAN or VPN.
Create back- ups that are offline and offsite and develop a disaster recovery plan that covers the restoration of data and whole systems.