SafeBreach Labs has updated the Hacker's Playbook™ with new simulations for attacks described in US-CERT Alert (AA18-337A), is an addition to the previous SamSam Ransomware.

These attackers were using either brute force attacks or stolen login credentials to gain access. After gaining access to a particular network, the SamSam attackers escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.

These common attacks have been proven across healthcare, finance, government, and defense industries. Their widespread availability presents a challenge for network defense and threat-actor attribution. SafeBreach recommends all industries and businesses simulate the tools described in this alert to identify whether or not they are protected against these attacks.

SafeBreach customers can already leverage a new “Known Attack Series” report showing where they are susceptible to the latest breach methods released by SafeBreach labs.

To assess security control effectiveness against these techniques, the SafeBreach Breach and Attack Simulation Platform specifically tests the following endpoint and network security controls:

Newly developed playbook methods related to AA18-337A

Playbook #2118 - Transfer of SamSam malware (AA18-337A) over HTTP/S (Infiltration)

  • Network Controls - Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook #2119 - Transfer of SamSam malware (AA18-337A) over HTTP/S (Lateral Movement)

  • Network Controls - Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook #2120 - Email the SamSam (AA18-337A) malware as part of a ZIP attachment (Infiltration)

  • Email Controls - Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook #2121 - Email the SamSam (AA18-337A) malware as part of a ZIP attachment (Lateral Movement)

  • Email Controls - Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook #2122 - Write SamSam (AA18-337A) malware to disk (Host-Level)

  • Endpoint Controls - Are security controls or hardening in place to prevent saving the malicious files to local disk?

Existing playbook methods related to AA18-337A

Playbook #1470 - Transfer of SamSam malware (Infiltration)

  • Network Controls - Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook # 1471 - Transfer of SamSam malware (Lateral Movement)

  • Network Controls - Are security controls in place to prevent the download and transfer of the targeted malware used in this attack?

Playbook # 1880 - Email a zip archive which contains the sample of SamSam (Infiltration)

  • Email Controls - Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook # 2082 - Email a zip archive which contains the sample of SamSam (Lateral Movement)

  • Email Controls - Are security controls in place to scan and identify email for the malicious payloads used in this attack?

Playbook # 192 - Brute force attack over RDP protocol (Lateral Movement)

  • Network Controls - Are security controls in place to prevent the brute force attack over RDP?

Additional breach methods added recently include:


Subscribe to blog post