CHANNELS

Subscribe to the InfoTech eNewsletter

infoTECH Feature

January 14, 2019

8 Tips for a SamSam- and CryptoBlackmail-Free 2019

By Special Guest
Matt Kimpel, Director of IT Engineering, Magna5

Cybercriminals are launching targeted ransomware attacks and extortion scams to get your data — and your money, but there’s a lot you can do to protect yourself.

Earlier this month, the Department of Homeland Security and FBI released a US-CERT (computer emergency readiness team) alert about SamSam ransomware, also known as MSIL/Samas.A. SamSam’s not a new type of malware; it was first discovered in early 2016. What makes it noteworthy, however, is that it doesn’t operate like typical ransomware variants that employ phishing schemes to trick users into clicking links or email attachments. SamSam is deployed using Remote Desktop Protocol (RDP) credentials to sneak onto victims’ networks. The actors sometimes use brute force attacks, but more often they use stolen login credentials acquired from darknet marketplaces. The latter approach makes the ransomware very difficult to detect because the malware enters through an approved access point.

Once criminals gain access (within hours of purchasing the credentials), they escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action, authorization or knowledge.

Another type of cyberattack that’s becoming more prevalent — which uses stolen credentials like SamSam — is CryptoBlackmail. This type of attack, also known as a “sextortion” scam, typically starts with the threat actor contacting the victim via email insisting they have video evidence of the victim viewing adult sites. The actor threatens to expose the victim’s “secret” unless the victim pays a ransom within 48 hours. Included in the email are the username and password to one of the victim’s previously breached online accounts, which causes many recipients of the scam to pay the ransom. In fact, when this threat first emerged in July 2018, one threat actor earned $15,500 USD (2.5 Bitcoin) in just two days.

With the new year upin us and as we reflect on these ransomware threats and extortion scams, it’s a good time to brush up on our computer and network security practices and strategies. Here are eight tips to help reduce your chances of being a SamSam or CryptoBlackmail victim in 2019.

  1. Train Users Not to Click Unknown Email Links or Attachments. The vast majority of cyberattacks (91%) begin with a spear phishing email, so it only makes sense to start here by making cybersecurity training a top priority. Training must include more than mere lecturing, too. It should be reinforced with testing and simulated attacks that mimic real-world situations so users become more vigilant with their inboxes.
  2. Restrict User Admin Privileges. Most ransomware infections start with a single workstation. If the infected computer has local admin privileges, that’s when the problem escalates and spreads throughout the network. Although restricting user’s ability to install applications puts a higher burden on IT, it’s much safer for the organization.
  1. Protect Your Credentials with Multifactor Authentication. With all the security breaches over the past few years, there’s a good chance some of your PII (personally identifiable information) is now for sale on the dark web. Besides making sure you’re creating strong passwords and updating them regularly, implementing multifactor authentication (MFA (News - Alert)) is a good idea. There’s lots of viable options for MFA, too, such as biometric scanners or authentication codes pushed to users’ devices which improves security with minimal inconvenience.
  1. Keep Your Software Patches Current. Cybercriminals go for the low hanging fruit. Besides tricking users into launching malware, threat actors like to exploit software that’s not up to date. The infamous WannaCry ransomware, for example, infected hundreds of thousands of computers worldwide, which all had one thing in common: They were several months behind on their Windows patches.

Where patch management becomes difficult is when companies run custom apps, which can’t just be automatically updated each time a new patch is released. The updates have to be tested first to ensure the program is still stable. For organizations with limited IT personnel, it’s easy to fall behind on testing patches and before you know it, you’re six months and three software versions behind.

Outsourcing this task to an IT services firm is often the best way to solve this issue without having to hire another full-time IT admin. A managed IT services company like Magna5, for example, works with customers’ developers to coordinate software updates with their maintenance windows. After rolling out the updates, Magna5 continues to monitor and validate everything’s working properly.

  1. Protect Your Remote Desktop Environment As mentioned earlier, SamSam often exploits companies’ RDS (Remote Desktop Services) by using stolen credentials available on the dark web. The best way to prevent this from happening to your company is to removedevices with  RDP enabled from the public internet and use a VPN (virtual private network) for added security.
  1. Don’t Assume Your Backups are Good. Business continuity and disaster recovery (BCDR) planning is a vital component to security. Sadly, the majority of companies (75%) discover that their backup sets are corrupted when they attempt an actual recovery. The only way to ensure a backup set is good (i.e., it could be restored if you needed it), is to test your backups (or engage an IT solution provider to do it for you). Although the process will vary from organization to organization, the common thread in testing backups and restores is to perform a complete restoration of every last file to a clean system. Regular testing and test results should ensure your backup strategy is working.
  1. Don’t Skimp on Your Firewall and Antispam Protection. There’s a big difference between the traditional firewall from 10 years ago and an enterprise-grade Nextgen firewall of today. Prior firewalls were stateful packet inspection capable only, meaning they could perform basic port and IP blocking. They don’t have features that are needed to defend against today’s advanced threats. Conversely, enterprise-grade firewall security solutions include advanced features such as geographical blocking.

This is particularly helpful if, for example, your company only does business in the US and Canada, the firewall can block incoming traffic from Norther Korea, Russia and China which are hotbeds for cyberattacks. Additionally, this change in technology has affected antispam solutions as well. Traditional antispam had weaker abilities to detect advanced malware and phishing attempts. It could stop the most obvious messages (e.g. the dethroned Arabian prince who wants to gift you with $5 million) but failed to detect social engineering attempts. Advanced antispam solutions can give users insights into phishing techniques coming from outside the company. For example, a message sent to someone in accounting purporting to be the CEO asking for $20,000 to be immediately wired to a bank account is more easily detected as fraudulent when it’s market “[external] within the subject line.”

Nextgen firewalls and antispam solutions are integrated with threat intelligence databases, which are updated in real time with the latest malware signatures and other threat information. Not every vendor is the same though, so selecting companies well known in threat migration is important.

  1. Consider an Outsourced Security Monitoring Service. One of the biggest challenges with a brute-force style attack is that an organization may not have any idea it’s even under attack. Even if the company has security systems in place that log the attacks, if no one’s looking at the logs, it doesn’t matter (this was the case with the 2013 Target breach). A managed security monitoring service is a viable solution. An MSSP can quickly detect brute-force attack attempts and other anomalies (e.g., a user is signed into their account from two countries simultaneously) and take action on behalf of the client to thwart the attack before a breach and data compromise occurs.

Conclusion

Protecting your company from ransomware or the latest online scam isn’t easy, but it’s a must in this day and age. Don’t forget that you don’t have to go it alone. There’s help available, and it’s not as expensive as you might think. It just might be the smartest investment you make for your company in the new year.

About the author: Matt Kimpel, Director of IT Engineering of Magna5, brings more than a decade of experience in the IT services industry and significant expertise in the areas of networking and security. He leads the Managed Services Advanced Engineering team and oversees the delivery and growth of the Managed Security Services, as well as plays a key role in new product development within Magna5.




Edited by Erik Linask
FOLLOW US

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers