SamSam Ransomware

Discussion in 'Hangar Talk' started by RJM62, Dec 3, 2018.

  1. RJM62

    RJM62 Touchdown! Greaser!

    Joined:
    Jun 15, 2007
    Messages:
    12,092
    Location:
    Catskill Mountains, New York
    Display Name:

    Display name:
    Geek On The Hill
  2. Rushie

    Rushie Pattern Altitude

    Joined:
    Jun 21, 2006
    Messages:
    1,868
    Display Name:

    Display name:
    Rushie
    I clicked on your link and got this:

    UntrustedCapture.JPG

    Was I not supposed to click on that link?
     
  3. N659HB

    N659HB Pattern Altitude

    Joined:
    Jul 20, 2013
    Messages:
    2,311
    Location:
    Check your six
    Display Name:

    Display name:
    Pops
    Your tax dollars at work! lol
     
  4. RJM62

    RJM62 Touchdown! Greaser!

    Joined:
    Jun 15, 2007
    Messages:
    12,092
    Location:
    Catskill Mountains, New York
    Display Name:

    Display name:
    Geek On The Hill
    The link is fine. PaleMoon apparently doesn't like the SSL cert. (Although it didn't complain about it on any of my computers.)

    You can safely try another browser or override it. It's Homeland Security's cybersecurity site.

    Rich
     
  5. Anymouse

    Anymouse En-Route

    Joined:
    Jul 30, 2007
    Messages:
    2,969
    Location:
    Clinton, AR (Sometimes)
    Display Name:

    Display name:
    Total Stud Bush Pilot
    I always get that from government websites. Especially the military sites.
     
  6. Rushie

    Rushie Pattern Altitude

    Joined:
    Jun 21, 2006
    Messages:
    1,868
    Display Name:

    Display name:
    Rushie
    Okay... I'll trust you guys....
     
  7. Skyrys62

    Skyrys62 Pattern Altitude

    Joined:
    Apr 5, 2017
    Messages:
    2,019
    Location:
    Owensboro, KY
    Display Name:

    Display name:
    Skyrys62
    Uncle SamSam
     
  8. RJM62

    RJM62 Touchdown! Greaser!

    Joined:
    Jun 15, 2007
    Messages:
    12,092
    Location:
    Catskill Mountains, New York
    Display Name:

    Display name:
    Geek On The Hill
    Actually, I think US-CERT are among the more useful federal employees.

    Rich
     
  9. N659HB

    N659HB Pattern Altitude

    Joined:
    Jul 20, 2013
    Messages:
    2,311
    Location:
    Check your six
    Display Name:

    Display name:
    Pops
    I'm sure you are correct, I just thought it was funny that a government site would be untrusted.
     
  10. kyleb

    kyleb En-Route

    Joined:
    Jun 13, 2008
    Messages:
    3,993
    Location:
    Marietta, GA
    Display Name:

    Display name:
    Drake the Outlaw
    So, are you most likely to get SamSam from a trojan horse hiding in an advertisement on a poorly managed site, through a bogus attachment in an e-mail, or maybe through a link that hijacks your PC?
     
  11. RJM62

    RJM62 Touchdown! Greaser!

    Joined:
    Jun 15, 2007
    Messages:
    12,092
    Location:
    Catskill Mountains, New York
    Display Name:

    Display name:
    Geek On The Hill
    Right now, most attacks seem to be over RDP and to be targeting specific organizations; but any of the above (and other) propagation methods have been used historically.

    Although the attacks seem to be targeting specific organizations, disabling RDP if you enabled it and no longer use it (it's not enabled by default), and closing whatever ports it used in the firewall (3389 is the default port), would be good ideas in any case.

    Rich
     
  12. Let'sgoflying!

    Let'sgoflying! Touchdown! Greaser!

    Joined:
    Feb 23, 2005
    Messages:
    16,015
    Location:
    west Texas
    Display Name:

    Display name:
    Dave Taylor
    I log into the office server regularly with my laptop.
    Pretty sure both have Bitdefender.

    Anything I should ask my IT guy regarding this ?
     
  13. AggieMike88

    AggieMike88 Touchdown! Greaser!

    Joined:
    Jan 13, 2010
    Messages:
    15,734
    Location:
    Denton, TX
    Display Name:

    Display name:
    Now offering reverse discounts.
    So, should I be reaching out to a Level-9 Techneeshan with a Mumbai accident who, while helping me in my locations, will show me how the tree command says my system is compromised and netstat shows I have foreign hackers?

    I spoke to his cousin recently who helped me pay my taxes with these government vouchers


    A0A0D948-04E7-435F-BC2F-676E2BE4ACCF.jpeg
     
    Omalley1537, Rushie and RJM62 like this.
  14. RJM62

    RJM62 Touchdown! Greaser!

    Joined:
    Jun 15, 2007
    Messages:
    12,092
    Location:
    Catskill Mountains, New York
    Display Name:

    Display name:
    Geek On The Hill
    Maybe just, "Hey, what's the deal with this SamSam thing? Anything I should know?" It's refreshing (or at least it was to me) when users show some security consciousness. Most are clueless.

    I actually had a pretty nice experience with a client along those lines last week. About 6:30 in the morning last Friday, one of my servers poked me and told me that an account in California was sending an unusually high volume of mail. I investigated and found that two machines on the client's LAN were spewing forth the proverbial ****load of spam into the ether.

    I disabled the two affected addresses' outgoing mail, ratelimited the others with notification just in case they were infected too, and told him to hire someone to clean, test, and clear all the machines on his LAN, and then send me a certification that he'd done so. Amazingly, the client immediately complied without complaining. A few hours later, when the machines were cleaned, I re-enabled him with forced outgoing spam-filtering and ratelimits on his outgoing mail. So far, so good. Looks like his guy did the job.

    It's always nice when clients take responsibility for their problems and fix them, rather than trying to blame an upstream provider who had nothing to do with their difficulties. It's refreshing.

    Rich
     
    Last edited: Dec 4, 2018 at 9:37 PM
    Let'sgoflying! likes this.
  15. SCCutler

    SCCutler Administrator Management Council Member

    Joined:
    Feb 27, 2005
    Messages:
    16,404
    Location:
    Dallas
    Display Name:

    Display name:
    Spike Cutler
    My office RDP is done through a VPN; better, right? Cisco.
     
  16. RJM62

    RJM62 Touchdown! Greaser!

    Joined:
    Jun 15, 2007
    Messages:
    12,092
    Location:
    Catskill Mountains, New York
    Display Name:

    Display name:
    Geek On The Hill
    I wouldn't get complacent about it. If I were still in that end of the business, I'd be pushing clients hard to require multi-factor authentication for remote access services like VPN, RDP, WebDav, FTP, etc. That's along with the usual good practices such as strong passwords, frequent firmware checks on the VPN appliance, minimum privileges, good antivirus software on both the server and clients, and so forth. And, of course, good air-gapped backups.

    I'm not in that end of the business anymore, so I'm by no means current on IIS security. But my understanding is that SamSam isn't too picky about the route of entry, so every remotely-accessible service has to be scrutinized and secured. If MS offers MFA on IIS for all remote connections, that would be a start.

    Rich
     
  17. Ghery

    Ghery Final Approach

    Joined:
    Feb 25, 2005
    Messages:
    9,309
    Location:
    Olympia, Washington
    Display Name:

    Display name:
    Ghery Pettit
  18. vman

    vman Pre-takeoff checklist

    Joined:
    Sep 16, 2018
    Messages:
    268
    Display Name:

    Display name:
    vman
  19. Ghery

    Ghery Final Approach

    Joined:
    Feb 25, 2005
    Messages:
    9,309
    Location:
    Olympia, Washington
    Display Name:

    Display name:
    Ghery Pettit