Subscribe to the Zog Blog

Subscribe to the Zog Blog to get news Delivered straight to Your box!

Newsletter Signup

Network Patches May Save Your Business From Ransom Attack

Network Patches May Save Your Business From Ransom Attack

Ransomware variants are probing for your unpatched networks!

The Samsam virus, a CryptoWall derivative, has been around for almost 2 years, but recently it has been creating havoc on small to large businesses across the country. Local governments, law offices, hospitals—you name it— have been victims of this malicious ransom attack.

When you get infected, the virus crawls your network sniffing out all of your important files—it looks for specific file types on the C Drive and encrypts the entirety of the contents.

Samsam also deletes anything it thinks may be a backup to your files (that is, if you keep backups on your network).

Here is a recent example of what Samsam did to the MSSQL server of a local business that wasn’t up-to-date on their patching:

The criminals leave you with a message all over your machine, with instructions on how to pay up to gain access to your files again. This is just a snippet of what the ransom looks like.

The going rate for decryption is about 33,000 American Dollars (hopefully you keep that kind of cash on hand).

But another problem is that paying the ransom is a gamble. If you pay the Samsam ransom, you may not even get your data back! After doing a little research on the group behind these attacks, we found that once the ransom is paid, you may not even get the decryption key. In fact, nearly half of businesses that paid the hefty $33,000 ransom never got a single file decrypted (money down the drain!).

What’s even harder with this virus is that there is no easy way to decrypt files yourself or eradicate the virus off of servers or workstations without reimaging the machine. The FBI is currently investigating options to recover files infected by Samsam, but so far no one has found a good method of decrypting files left in the path of the virus.

If you haven’t been infected, what should you do to make sure you don’t get an infection?

I feel like a broken record, but the same steps that I’ve mentioned time and time again will keep your business safe from Samsam:

  1. Patch your network and regularly update software—I cannot stress this one enough. If your IT Support is not patching your network and testing patches applied to the network, you are surely a sitting duck for Samsam. The virus actually moves with an open-source tool, JexBox, which travels across the web hunting for vulnerabilities in networks. Once JexBox is able to get in, Samsam is ready to infect.
  2. Train your users—while Samsam does not rely on tricking users into getting into your network, users should understand how to prevent data breaches and infections through security training. Criminals are getting better at coming up with more believable phishing schemes—you better believe they’re trying to get into your network with a multi-pronged approach.
  3. Backup EVERYTHING—if Cryptowall (or even a natural disaster) hits your business, how will you get back up and running? The sure fire way is to have regular (likely weekly) backups of your network so that in the event that something like crypto crud (or anything else) hits, you are able to recover without a hiccup.
  4. Test Test Test—whether it’s testing a backup was successful or testing that patches are actually working, your IT Support and IT Security teams need to ensure that everything is working properly. More often than not, when I run network security assessments for a prospect client, their backups aren’t working and their patches are misapplied or missing. Testing should be a part of your IT Support team’s process!

Are you willing to roll the dice with paying ransoms? Are you sure you’re taking appropriate steps to keep your business from falling to Samsam? Contact us today for a free network security assessment to see if you are Samsam-proofed.

Leave a Comment

Your email address will not be published. Required fields are marked *