Attackers behind SamSam ransomware use two tactics to penetrate and organization. They target vulnerabilities in a target organization’s systems to gain access its network or they launch brute-force attacks against weak passwords of the remote desktop protocol (RDP).
This is according to an analysis by security firm SophosLabs.
“Unlike most of the well-known ransomware families, which attack randomly, SamSam is used against specific organizations, those most likely to pay to get their data back, like hospitals or schools,” SophosLabs researchers said in a white paper
Once the attackers get in, they look for additional victims through network mapping and credential theft. Then, the attackers manually deploy SamSam on targeted systems using PSEXEC and batch scripts.
The attackers cover their tracks, so security pros have trouble determining the initial infection point and the some of their steps inside the network. They also delete attack files, including the SamSam payload, and change the deployment methodology.