Pierluigi Paganini April 04, 2016

The FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware, why it is so dangerous?

It is emergency, every week security experts launch an alert on a new ransomware, the extortion practice is becoming a profitable business for criminal gangs worldwide. Recently the US and Canada issued a joint warning about the recent surge in ransomware infections. According to the Reuters, the FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware, that targeted several hospitals. The law enforcement Agency also shared IoC for the Samsam threat to help organizations monitoring for infections.

The law enforcement Agency also shared IoC for the Samsam threat to help organizations monitoring for infections.

“The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future,” the advisory said.” states the advisory.Among the victims of the Samsam Ransomware there is the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington area.The bad actors behind the attack on MedStar requested 45 Bitcoins (about US$18,500) for restoring the encrypted files.

MedStar did not pay the Ransom because it has a backup of the encrypted information, a situation rare that advantage the attackers behind ransomware-based campaigns.

The IT department of the MedStar Hospital detected the infection at an early stage and was able to stop the Samsam Ransomware from infecting internal systems.

The MedStar incident demonstrates that a proper security posture, an early response and the implementation of effective best practices like data backup are necessary steps for a right approach to prevent damage from ransomware-based attacks.

In the specific case, the Samsam ransomware is not a new threat, it has been around since last few years targeting businesses and organizations worldwide.

Samsam is considered a very interesting threat by experts because it doesn’t require the victim’s interaction.

Typical victims get a ransomware infection by clicking on a malicious link, by opening an attachment or through a malvertising, but the Samsam ransomware targets servers instead end-users.

The threat first exploits unpatched vulnerabilities in JBoss application servers by using JexBoss, an open-source penetration testing tool. Once exploited the flaws, the attackers get remote shell access to the infected servers and install the Samsam ransomware onto the targeted Web application server.

Once the server has been compromised, attackers use it to spread the ransomware client to Windows machines and encrypt their files.

“The Samas infection chain diagram illustrates how Ransom:MSIL/Samas gets into the system.   It starts with a pen-testing/attack server searching for potential vulnerable networks to exploit with the help of a publicly-available tool named reGeorg, which is used for tunnelling. Java-based vulnerabilities were also observed to have been utilized, such as Java-based vulnerabilities were also observed to have been utilized, such as CVE-2010-0738 related to outdated JBOSS server applications.

It can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well.  When it has done so, it will list the stolen credentials into a text file, for example, list.txt, and use this to deploy the malware and its components through a third party tool named psexec.exe through batch files that we detect as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C.” states a blog post published by Microsoft on the threat.”

Pierluigi Paganini

(SecurityAffairs – ransomware, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]