SamSam ransomware making a comeback
The Colorado Department of Transportation has shut down over 2,000 computers after systems have been infected with the SamSam ransomware on Wednesday, February 21. The malicious group demanded an undisclosed amount of bitcoin from CDOT to have their files back.
The State’s Office of Information Technology, which reached out to the FBI for assistance, are still investigating the attack and have not paid a cent to attackers. Said Brandi Simmons, an OIT spokeswoman.
“This Ransomware virus was a variant and the state worked with its antivirus software provider (McAfee) to implement a fix. The state has robust backup and security tools and has no intention of paying ransomware. Teams will continue to monitor the situation closely and will be working into the night,” said David McCurdy, State Chief Technology Office.
Meanwhile, employees are forbidden from accessing the internet until the problem is solved.
SamSam Ransomware spread via RDP (Remote Desktop Protocol)
SamSam ransomware uses a undetected method of scanning the internet for computers with open RDP connections.
Attackers break their way into large networks by brute-forcing these RDP Endpoints and the accessing computers unprotected on the network. Once they have a sufficiently strong presence on the network, the attackers deploy SamSam and wait for the victim organization to either pay the ransom demand or try to boot them off the Network.
How to Prevent this attack
-Log out of all remote sessions when not in use.
-NEVER save your passwords for RDP
-Remove your passwords from autofill keychains (Chrome, IE Exporer, Edge, Firefox.)
-Contact a member of the Windward team if there is any suspicion of the attack