Security Experts:

Connect with us

Hi, what are you looking for?



DHS Says SamSam Ransomware is Targeting Critical Infrastructure Entities

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) this week issued an alert on activity related to SamSam, one of the most prevalent ransomware families at the moment. 

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) this week issued an alert on activity related to SamSam, one of the most prevalent ransomware families at the moment. 

Associated with numerous attacks on health, education and government organizations, SamSam was recently said to have impacted the private sector the most. Over the past couple of years, the actor behind the malware supposedly netted more than $5.9 million.

Last week, the U.S. Department of Justice charged two Iranian men – Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri – over their alleged role in the development and distribution of SamSam for extortion purposes. 

In the newly published activity alert, the DHS and the FBI note that the SamSam operators targeted multiple industries, including entities within critical infrastructure. Most of the victims were located in the United States, the alert says. 

The reason the actors are targeting organizations is that network-wide infections are more likely to garner large ransom payments when compared to infections of individual systems. Furthermore, organizations are more likely to pay large ransom amounts as they need to resume operations quickly.

To gain persistent access to a victim’s network, the actors target vulnerabilities in Windows servers. In early 2016, they were targeting vulnerable JBoss applications, but in mid-2016 they started using Remote Desktop Protocol (RDP) for their attacks, via brute force or stolen credentials. 

Once inside a network, the alert reveals, the actors escalate privileges for administrator rights, after which they drop and execute malicious files onto the server, without victims’ action or authorization. The use of RDP eliminates the need for user interaction to execute the ransomware and also ensures the attack remains undetected. 

According to the alert, the SamSam operators appear to have purchased stolen RDP credentials from known darknet marketplaces. The investigation into attacks revealed that the actors can infect a network within hours of purchasing the credentials. 

The SamSam actors leave ransom notes on the encrypted machines, to instruct victims into contacting them through a Tor hidden service site. They also demand a ransom be paid in Bitcoin, in exchange for which the actors provide victims with links to download cryptographic keys and tools to decrypt their network.

The DHS National Cybersecurity and Communications Integration Center (NCCIC) also published a series of malware analysis reports detailing four SamSam malware variants. 

The DHS and FBI alert also includes a series of mitigation recommendations, such as auditing the network for systems that use RDP, ensuring that cloud-based virtual machine instances with public IPs have no open RDP ports, using strong passwords and two-factor authentication, keeping systems updated, and maintaining a good back-up strategy, among others. 

Related: U.S. Charges Two Iranians Over SamSam Ransomware Attacks

Related: SamSam and GandCrab Illustrate Evolution of Ransomware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.