The attacker’s preferred deployment tool is the Sysinternals PsExec application, which the attacker uses to copy files across the network. The attacker has been known to use other deployment tools in situations where PsExec is blocked. In one recent attack, they were seen switching to a similar tool called PaExec from PowerAdmin.
Once the attack has been launched, the only thing left for the SamSam threat actor to do is wait to see if the victim makes contact via the attacker’s dark web payment site, the details of which are provided to the victim in the ransom note. The attacker gives the victim roughly seven days to pay the ransom, although, for an additional cost, this time can be extended.
Mackenzie added, “SamSam is a reminder to businesses that they need to actively manage their security strategy. By deploying an in-depth approach, they can ensure their network is less visible and open to attack to avoid being the low hanging fruit the hacker is searching for. We recommend IT managers follow security best practices, including hard-to-crack passwords and rigorous patching.”
Sophos recommends the following four security measures:
· Restrict access to port 3389 (RDP) by only allowing staff who use a VPN to be able to remotely access any systems. Utilize multifactor authentication for VPN access.
· Complete regular vulnerability scans and penetration tests across the network; if you have not followed through on recent pen-testing reports, do it now.
· Activate multi-factor authentication for sensitive internal systems, even for employees on the LAN or VPN.
· Create back-ups that are offline and offsite, and develop a disaster recovery plan that covers the restoration of data and whole systems.