Pierluigi Paganini June 25, 2017

Researchers at AlienVault observed a significant increase in the number of SamSam ransomware attacks, crooks are demanding $33,000 to the victims.

Security experts at AlienVault have observed a new string of attacks leveraging the SamSam ransomware, and this time crooks are demanding a $33,000 ransom to decrypt the files.

According to the researchers, crooks demand:

• 1.7 Bitcoin ($4,600) for a single machine
• 6 Bitcoins ($16,400) for half the machines (allowing the victim to confirm they can recover their files)
• 12 Bitcoins ($32,800) for all of the machines

The malware is installed on vulnerable systems through manual compromise, when the malware infects a machine it is able to spread to other computers on the network.

Experts believe the SamSam charges very high ransoms because of the effort of its operators in the operations. The FBI issued two alerts on the SamSam threat last year.

“MSIL or Samas (SAMSAM) was used to compromise the networks of multiple U.S. victims, including 2016 attacks on healthcare facilities that were running outdated versions of the JBoss content management application.” states the report published by the FBI. “SAMSAM exploits vulnerable Java-based Web servers. SAMSAM uses open-source tools to identify and compile a list of hosts reporting to the victim’s active directory. The actors then use psexec.exe to distribute the malware to each host on the network and encrypt most of the files on the system. The actors charge varying amounts in Bitcoin to provide the decryption keys to the victim.”

According to the researchers at AlienVault, SamSam attackers are using the following techniques to infect the machines:

• Gain remote access through traditional attacks, such as JBoss exploits
• Deploy web-shells
• Connect to RDP over HTTP tunnels such as ReGeorg
• Run batch scripts to deploy the ransomware over machines

SamSam was first spotted more than a year ago, it is written in C# language and once infected a machine the threat targets over 300 File types to encrypt.

Most recent variants show no changes compared to previous ones, it leverages the functions encc.myff1 and encc.EncryptFile for encryption.

Once encrypted the files. the SamSam ransomware will delete the original ones. Experts noticed the threat doesn’t clean the removed file sectors allowing users to recover their files or parts of them.

Researchers noticed a peak in the number of SamSam attack, its operators appear very active in this period. In April, systems at a New York hospital were infected with the ransomware, but the administration refused to pay the $44,000 ransom demanded by crooks.

“SamSam, which targets vulnerabilities in servers to infiltrate computer networks, is responsible for other attacks, including a major ransomware incident last year at 10-hospital Medstar Health in Maryland.” states buffalonews.com.

Experts who analyzed the transaction on the Bitcoin associated with SamSam operators noticed the attackers received $33,000 from its victims.

“The most recent attacks appear to have been successful, at least from the attacker’s point of view. The Bitcoin address associated with this week’s attacks has received $33,000,” states AlienVault.

Pierluigi Paganini

(Security Affairs – SamSam ransomware, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]