바로가기

Security Alert



Alert-SamSam Ransomware 2018-08-27
Threat Description

SamSam Ransomware is a custom infection used in targeted attacks, often deployed using a wide range of exploits or brute-force tactics. SamSam Ransomware uses vulnerabilities found in remote desktop protocols(RDP), Java-based web servers, or file transfer protocol(FTP) servers to gain access to the victim’s network or brute force against weak passwords to obtain an initial foothold.

Impact of the vulnerability

With SamSam Ransomware, cyber attackers scan the web for unpatched server-side software and quietly let themselves in the backdoor. With access to the victim’s environment, attackers collect data and credentials before deploying a customized strain of SamSam ransomware. Then, they use the infected server to spread the encrypting ransomware to Windows machines on the network, as well as to network-based backups.

Vulnerable versions

SamSam Ransomware affects old versions of JBoss web servers.

Solution: Rw-CSIRT is strongly recommending users to:

• Patch the vulnerability by updating JBoss web servers to the latest version.
• Restrict access to RDP on Port 3389.
• Use strong passwords, you should not use default passwords because are easy to guess.
• Always perform regular backups.


Affected users should:

Affected users should contact RW-CSIRT: Call 4045 or write to security@risa.rw to help for analyzing the source of the incident and recommendation.
References:
1. https://thehackernews.com/2018/07/samsam-ransomware-attacks.html
2. https://ransomwarewatch.com/what-is-samsam-ransomware/
- Previous Alert – Drupal RCE Exploit: Drupalgeddon2
- Next Alert – Drupal 7.x Vulnerabilities
list