Samas Ransomware Deletes Veeam Backups, And Maybe Yours Too...

This month, a user on the Atlanta-based 500 million-dollar backup company Veeam community forums reported that they were hit with Samas ransomware. I am giving you the short version here:

"On 2/7 we were hit with Samas (AKA SamSam) Ransomware. Of course I freaked but I felt confident driving into work that I was ok with backups. I used Veeam to backup all my servers to two CIFS folders on 2 different Drobos on campus. We are a Private School with a small Tech budget and we get by with what we can.

"The server itself got wiped with Samas, but I still felt confident. I looked in the Veeam_Backups folder a few times on both Drobos and both were empty, but I figured it was just a permission issue or something. I wasn't that worried.

The FBI said he had never seen ransomware delete backups

"I called Veeam support and the tech said he had never seen Ransomware delete any backups, so again I felt ok as I reinstalled Veeam on a new server. Later that day we had a call with someone from the FBI (that we knew through an employee). He said he had never seen Ransomware delete backups, they usually encrypted them.

"Fast forward a day when I'm on the phone with Veeam engineers getting my backup repositories reconnected.
As they reattached, I saw where they scanned and said 0 backups found. I knew at that point they were gone. The tech didn't believe me, which is fair. I was able to find config logs from my dead server, they verified in fact that Veeam had written over 200GB just 2 days before we were hit to both repositories.

So, yes, let me be the first to tell you, Ransomware can delete your Veeam backups, it can wipe out entire backup repositories.

"As an IT Director for over 14 years with 2 different companies, I always thought about backups as a means of protecting data from fires, or environmental disasters. I just never thought of it strongly from the Malware standpoint, thinking that onsite backups would be enough. Change your thinking, these are tough times for IT folks."

Samas Infection Vector is brute force attacks via Remote Desktop Protocol (RDP)

This ransomware family is Samas, also known as SamSam, Kazi, or RDN/Ransom, which is installed manually by hackers on the endpoints of networks compromised via to unsecured RDP connections. These criminal hackers look for unsecured RDP servers, launching brute-force attacks, compromising the server, and then using other tools to escalate access inside the organization's network. Next, when they have gained access to as many endpoints as possible, the group installs the ransomware and starts the extortion process, hoping victims don't have offline backups.

What To Do About It

If Samas goes after Veeam backups, you can count on them going after other market leaders as well, possibly your own backup vendor. Here are a few best practices to prevent disasters like this.

Make sure to always have very recent offline backups of your files. You could also write a script to change the extension of your important databases to .bak1 or .zip1 or whatever. Ransomware searches for file extensions, so you can try to mask your backup databases with a simple script.

Best practice to protect a network from a brute force RDP attack is to apply strong RDP security settings, including limiting or disabling access to shared folders and clipboards from remote locations.

An RDP brute force approach opens the attacker’s information to the targeted network, so you should parse the Windows Event Viewer and find the compromised user account and the IP address of the attacker and block that.

Ransomware Hostage Rescue Manual

Ransomware Hostage Rescue Manual Get the most informative and complete hostage rescue manual on Ransomware. This 20-page manual is packed with actionable info that you need to prevent infections, and what to do when you are hit with malware like this. You also get a Ransomware Attack Response Checklist and Prevention Checklist. You will learn more about: