Days after indicting Iranian hackers accused of masterminding the spread of malware, the U.S. government is warning critical infrastructure firms such as hospitals, scientific institutions and local governments, to protect themselves from the SamSam virus.
Hackers using the SamSam malware exploit Windows servers to break into computer networks and escalate administrator privileges, according to a Dec. 3 joint alert sent out by the Department of Homeland Security and FBI.
Victims are located predominantly in the United States, according to the alert. The hackers' ultimate goal is to turn a successful intrusion into financial gain through ransomware.
The FBI believes the hackers use remote desktop protocols purchased from the dark web. With the protocols, the hackers are able to “infect victims with minimal detection.”
“From there, the ransomware ‘fun and games’ begin for the authors,” wrote Malwarebytes, a threat intelligence firm, in an analysis of the SamSam virus. “For everyone else, it’s chaos.”
“SamSam actors leave ransom notes on encrypted computers. These instructions direct victims to establish contact through a Tor hidden service site,” the FBI’s alert read. “After paying the ransom in Bitcoin and establishing contact, victims usually receive links to download cryptographic keys and tools to decrypt their network.”
The joint alert suggested using strong passwords, two-factor authentication and updating computers as a defense against the SamSam malware.
The alert comes a week after the Department of Justice indicted two Iranian nationals for allegedly authoring the SamSam ransomware in a scheme to collect over $6 million. More than 200 victims have been infected by the SamSam ransomware including hospitals, municipalities, and public institutions at a total cost of $30 million, according to a Nov. 28 indictment from the Department of Justice.
The alleged hackers, Mohammad Mansouri and Faramarz Savandi, are not likely to be extradited to the United States because of the strained relations with Iran. Still, U.S. officials have said that indicting hackers who have a slim chance of facing trial in the U.S. can still impose costs by limiting their travel and hindering their finances.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.