The U.S. Federal Bureau of Investigation and the Department of Homeland Security National Cybersecurity and Communications Integration Center have issued a joint advisory offering ways to deal with the SamSam ransomware.

The advisory released Monday warns that those behind the ransomware are targeting multiple industries, including some within critical infrastructure. Victims are said to be predominately in the United States but also internationally, with networkwide infections likely to garner large ransom payments rather than infections of individual systems.

While noting that those behind the ransomware use the JexBoss Exploit Kit to access vulnerable JBoss applications, FBI analysis of victims’ machines also found that those behind SamSam are also using Remote Desktop Protocol to gain persistent access.

“Typically, actors either use brute force attacks or stolen login credentials,” the advisory notes. “Detecting RDP intrusions can be challenging because the malware enters through an approved access point.”

Notably, those stolen login credentials are said to have been acquired from marketplaces on the darknet, a shady part of the internet reachable only with special software.

The advisory comes a week after two Iranian nationals — Faramarz Shahi Savandi, 34, and Mohammad Mehdi Shah Mansouri, 27 — were indicted by the Department of Justice for their role in both the creation and distribution of SamSam.

In the indictment, the Justice Department claimed that there had been more than 200 SamSam victims including hospitals, municipalities and public institutions. Along with an attack that crippled the City of Atlanta in March, high-profile SamSam victims include Laboratory Corp. of America Holdings, Hollywood Presbyterian Medical Center and the Port of San Diego.

Oussama El-Hilali, vice president of Arcserve LLC, told SiliconANGLE that the alert should not come as a surprise.

“Over the past year, SamSam has been a highly profitable form of ransomware, particularly in the healthcare sector, which is notorious for being vulnerable to these kinds of attacks,” El-Hilali explained.

“To prevent falling victim to SamSam – or any other form of ransomware, for that matter – organizations should seek out data protection solutions that allow them to fully access and restore data instantaneously,” El-Hilali added. “Having an effective backup and recovery strategy can completely neutralize the impact of a ransomware attack, sending cybercriminals packing once they’re unable to collect the ransom they’re seeking to cash in on.”

Photo: quinnanya/Flickr