The Department of Homeland Security and the Federal Bureau of Investigation have identified cyber threat actors using SamSam ransomware—also known as MSIL/SAMAS.A—to target multiple industries, including some within critical infrastructure in the United States and worldwide.
The actors exploit Windows servers to gain persistent access to a victim's network and infect all reachable hosts. According to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable JBoss applications. Since mid-2016, FBI analysis of victims' machines indicates that cyber actors use Remote Desktop Protocol (RDP) to gain persistent access to victims' networks. Typically, actors either use brute force attacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters through an approved access point
CERT Bulgaria encourages users and administrators to review following tips for more information:
Alert AA18-337A: SamSam Ransomware
Malware Analysis Reports: