The SamSam ransomware is an infection that spreads like a bot. Once it successfully infiltrates a computer, it will look for network resources and use them to spread further. After infecting a dozen computers in a target organization, it will start encrypting as many files as possible.
In all, the SamSam ransomware has targeted about 67 organizations within the US. It requests large payouts after every successful infiltration, sometimes amounting to millions of dollars. Municipal computers in the city of Atlanta were attacked by the malware in 2018 alongside the Colorado Department of Transportation. Most of the victims of the attack were healthcare facilities.
How Does SamSam Ransomware Work?
Unlike most ransomware families that are spread indiscriminately via spam emails, phishing campaigns, or exploit kits, the SamSam ransomware is spread in a targeted way. Its modus operandi is to gain access to an organization’s network, spend time performing a reconnaissance i.e. mapping out the network, before choosing the opportune time to encrypt as many files in as many computers as possible.
Hackers behind the malware use a tactic called “living off the land.” It involves the use of operating system features to compromise the networks of the targeted victim. The living off the land tactic makes it possible for the malware to keep a low profile while it spreads.
In a documented 2018 attack, hackers using the malware were able to stay hidden for 48 hours by which time they had managed to use PsInfo, a Microsoft Systinternals that makes it possible to gather viruses and use network resources to download other malware to aid in their nefarious activities.
After the infiltration process is complete, the malware will display a message that details the conditions for decryption. It will request that massive amounts of money, sometimes running to hundreds of thousands of dollars, be wired to a Bitcoin address.
As you can imagine, successful infiltrations have very damaging consequences for the victims. The entire thing is disruptive, frustrating, and enormously expensive to deal with.
How to Prevent SamSam Ransomware?
How do you prevent SamSam ransomware? Ransom SamSam goes for easy targets. It is not looking for tough to enter computers or something like that. The malware creators want an easy job and it us up to a targeted organization to deliver that by being sloppy with their network security. Here are a few tips that you can use to successully prevent the SamSam ransomware:
· Install a Powerful Antivirus
A premium antivirus solution such as Outbyte Antivirus will keep vigilance for any malware attacks. And while you might be tempted to download some free version, take time to consider the considerable damage that a successful infiltration can have on your organization.
· Multi-factor Authentication
All externally-facing applications on your organization should have multi-factor authentication. This will prevent attackers from ever purchasing credentials from disgruntled or rogue employees.
· Patching and Scanning
All externally facing applications on your computer need to be patched for any vulnerabilities. Hackers exploit such vulnerabilities when installing malware on a computer.
· Employ Incident Containment Retainer
An incident containment retainer will help your organization mobilize as fast as possible, should anything happen. It is necessary in incidences involving malware because they affect computers and systems all over the network.
· Employ Backups
If yours is a big organization such as a healthcare provider that deals with vital patient records, there is no excuse why you don’t have a backup system, in case something like the SamSam malware strikes. It may be your only chance at continuing with operations without a hitch.
Protecting Your Devices from SamSam Ransomware
Say you have taken all the preventive measures above, how do you deal with an active attack or some attempt at infiltration? Here are a few tips:
- If the attack proves successful, don’t consider paying the ransom as this will only embolden the attackers to be more aggressive the next time Plus, there is no guarantee that they will let you have your files back.
- If you receive suspicious emails, especially ones that have an attachment, don’t open them until you are certain that they genuine. At the same time, if someone calls you from the “IT department” requesting password and identification details, consider it to be fraudulent.
- Keep all your computers up-to-date. Small and medium size organizations have so many computers that they sometimes forget to update them all. Well, all it takes for a successful infiltration campaign is just a single point of weakness.
Removing the SamSam Ransomware
The cleanup process after being infected by the SamSam malware, especially for large organizations with hundreds, if not thousands of computers, can be very expensive. It involves a combination of installing new versions of Windows and using Windows recovery processes, such as System Restore and running individual computers on Safe Mode with Networking.
To start your Windows 10/11 computer in Safe Mode with Networking, take the following steps:
- Hold the power button for about 10 seconds to turn off your computer.
- Press the power button again to turn on your device. Keep turning your device on and off until the Windows Recovery Environment (winRE) appears.
- The Windows Recovery Environment will present the Choose an Option Select Troubleshoot > Advanced options > Startup Settings > Restart.
- After your computer restarts, you will see a list of options that include Safe Mode with Networking. Use the arrow keys to select this option or alternatively press 5 on your keyboard.
You can now use the internet to download an antivirus or explore other ways of dealing with the SamSam ransomware.