Also known as: Samas
Category: Malware
Type: Ransomware
Platforms: Windows
Damage potential: Data encryption, ransom demands, network spread, operational disruption, damage to reputation
Overview
SamSam is a type of ransomware targeting organizations in various industries, including transportation, healthcare, and education.
Cybercriminals behind SamSam access a victim’s network through Remote Desktop Protocol (RDP) ports, give themselves administrative rights, and deploy the ransomware onto the victim’s server. This way, SamSam can infect connected devices with minimal risk of detection. Once on a device, it encrypts files and drops a ransom note asking for a payment in cryptocurrency to unlock those files.
Possible symptoms
The most obvious signs of a SamSam infection are encrypted files and a ransom note. You may also notice changes in file extensions, failed login attempts, or system slowdowns.
Sources of infection
SamSam ransomware mostly takes advantage of security weaknesses in Remote Desktop Protocol (RPD) ports or outdated software to get into systems. Although not as common, it can also infect devices via phishing emails.
Protection
SamSam attacks often target bigger networks, so these protection methods are mainly for organizations rather than individuals.
- Close all unnecessary Remote Desktop Protocol (RDP) ports. Make sure you have password protection for the ones you keep open.
- Use complex passwords and change them regularly.
- Enable multi-factor authentication.
- Divide your network into segments. By doing so, you can limit the damage in case of an infection.
- Monitor networks for suspicious activity, such as increased bandwidth or unauthorized access attempts.
- Install a reputable antivirus software and regularly update it.
- Back up important data and store backups in a secure location.
- Implement strict user access control. Only allow users to access the data they need for their work.
- Have regular security audits to identify vulnerabilities on your network.
- Educate employees on good cybersecurity practices.
- Prepare a detailed incident-response plan.
Removal
If you suspect that SamSam is on your network, you need to act quickly:
- Isolate the infected device(s) by disconnecting them from the internet and your network.
- Use reliable antivirus software to detect and remove the ransomware.
- Restore files from a clean backup.
- Update all passwords and check security settings.
Keep in mind that antivirus software is more effective in preventing malware than removing it. If the infection persists or you can’t restore your files, you should get professional help.