CDOT Virus – What to know about the SamSam virus & steps to take now

On February 21, 2018 the Colorado Department of Transportation back office operations were hit with the SamSam ramsomware virus. The virus encrypts files on a users system as well as any network data files the users has rights to access.  CDOT made the decision to shut down 2,000 employee computers while they investigate and remediate the attack.  After more than a week only 20% of the CDOT systems were brought back online and then it was discovered a new variant of the SamSam virus was present.  Two weeks into the infection all 2,000 systems are still offline.

Could your organization survive weeks without access to your computers or your data?

What is SamSam

It’s not a “stock” ransomware virus but instead is a customized strain used in targeted attacks. SamSam hackers scan your network for open RDP connections and break into networks with the goal of spreading the virus to other computers on the network.  To gain access the hackers find an open RDP connection and use a brute force tool to break passwords.  This is very effective when you use weak passwords, reuse passwords, fail to limit admin credentials and especially when you fail to limit the number of attempts to log into a system.

What should you do?

Once it gets in it spreads and then it’s over. This virus is very effective but not necessarily sophisticated.  Prevention is the key piece to protecting yourself.

  • Keep all workstations and servers patched and updated. If you have read anything I have ever posted I always harp on the importance of patching.
  • Make sure antivirus and antimalware tools are in place and up to date.
  • Have security policies in place clearly identifying who needs access to what data.
  • Implement password policies that require complex passwords.
  • Implement a policy that requires all passwords to be changed on a regular basis. This policy should apply to both workstations and servers.
  • Put a policy in place that limits the number of failed login attempts. Once the number of failed login attempts is reached the account should be locked out.
  • Monitor accounts with failed login attempts for malicious activity.
  • Provide your end users training on how to avoid, recognize and react to cybersecurity breaches.

The best way to protect yourself is to take cybersecurity serious.  Take the simple steps mentioned above to mitigate many of the threats that are out there.  There are obviously many other higher level security policies that should be created and implemented but these simple ones will provide you protection against the threats that target the unprepared.

As always, we are here to help you make the best decision for your organization.  Never hesitate to contact us!

Speak Your Mind