2015 may have been the year of the healthcare data breach, but 2016 is fast becoming the year of ransomware with new strains such as Samas ransomware appearing at an alarming rate. Recently the Federal Bureau of Investigation reached out to U.S. businesses, seeking help to deal with the latest Samas ransomware threat.

Samas Ransomware Being Used to Encrypt Networks

Samas ransomware – also known as Samsa, Samsam, and MSIL – is different from many strains of ransomware that were used by cybercriminals last year. The new ransomware strain is being used to attack businesses rather than consumers. Last year, criminals were sending out ransomware randomly via spam email.

Ransom demands of 0.5-1 Bitcoin were the norm, with consumers often willing to pay to recover their files, accounts, photographs, and other important data. However, businesses hold far more valuable data. If criminals are able to infect enterprise computers and encrypt important business files, higher ransom demands can be sent. In many cases those demands have been paid.

In order to obtain large ransoms, cybercriminals need to infect networks rather than single computers. If an end user downloads ransomware onto their computer, and that ransomware has the capability to spread laterally and infect other systems, enterprises are more likely to pay to unlock the encryption. Even when viable backups exist, the complexity of some of the ransomware now being used makes paying the ransom an easier and lower cost option. Since some ransomware is capable of deleting backup files, the restoration of data may simply not be an option. Samas ransomware has been reported to delete Volume Shadow Copy Service (VSS) data.

Access to Systems is Gained by Cybercriminals Weeks Before Samas Ransomware is Deployed

The mode of action of Samas ransomware is different from other families of malicious file-encrypting software such as Locky, CryptoWall, and Cryptolocker.

Attackers are exploiting a vulnerability in the JBoss enterprise application platform to compromise an external web server. This is achieved by using a security program called JexBoss. Once access to a server has been gained, attackers mask communications using a Python based SOCKS proxy. A variety of software tools are then used to gain access to login credentials, and they in turn are used to compromise other systems and devices within an organization’s infrastructure. Several different tactics are then used to deploy Samas ransomware on numerous machines.

Several analyses of infected systems were conducted by Dell SecureWorks, which revealed attackers had compromised systems several weeks or months before the ransomware was actually deployed. Had the system compromise been detected earlier, the ransomware infections could have been avoided. Unfortunately, the initial compromise is difficult to detect, and anti-virus products are slow to detect new threats such as Samas ransomware.