A new ransomware that deletes ALL of your backup files

You have a backup plan to store your files.. just in case your main device is hacked... You think you are safe.... Yet, now there is another type of attack, a cyber attack, called Samas Ransomware that can and will decimate all of your backup files, so are you truly safe?

samas-ransomware can delete all of your back up information.png

What is the difference between Ransomware & Samas?

Unlike most ransomware, which focuses mostly on encrypting files on one device, Samas spreads inside your entire network and encrypts all the files on ALL ther servers and ALL the computers. It is performed in 3 steps.

1. First the attackers steal the domain credentials

2. Then they identify their targets visa the active directory

Then they move laterally throughout the network encrypting EVERYTHING.

Samas Ransomware is about wiping out all files (including back up files) and affecting all key machines.

"According to Javelin Networks’ report, Samas has been mainly focused on organizations in the United States over the past year, but that entities in Europe and Asia were also targeted."

How is Samas Ransomware used?

This attack is manually installed on the endpoints of networks compromised via unsecured RDP connections. RDP, which stands for Remote Desktop Protocol allows users to connect to another computer over a network connection. After the installation is completed, the criminal hackers look for unsecured RDP connections and once the RDP connections have been found, the brute force attack begins on an organization's network. Once a organization's network is accessed, ransomware is installed and the extortion process begins. The end result?......All backup offline files are gone.

What to do when Samas Ransomware strikes?

How_to_survive_Samas_Rnansomeware_when_it_attacks

1. Make sure to always have RECENT offline BackUp of your files on a external hard drive.

2. Writing a script to change the extension of your important databases to .bak1 or .zip1. By writing a script and changing the extension of the databases, these strategies give you an opportunity to mask your files. Keep in mind that the Ransomware cyber attacks tend to search for file extensions.

4. Best practice to protect a network from a brute force RDP attack is to apply strong RDP security settings. An example of applying strong RDP security settings is limiting or disabling access to shared folders from remote locations.

5. Have an RDP brute force approach that opens the attacker’s information to the targeted network. This gives you an opportunity to use the Windows Event Viewer and find the compromised user's account and the IP address of the attacker. Once the IP address of the attacker is found, this is a opportunity for you to capitalize and block the attacker and report them to the FBI.

Sources:

1. https://blog.knowbe4.com/samas-ransomware-deletes-your-veeam-backups

2. https://blog.knowbe4.com/fbi-and-microsoft-warn-against-hybrid-ransomware-attack

3. https://www.knowbe4.com/ransomware

4. http://www.securityweek.com/samas-ransomware-uses-active-directory-infect-entire-networks