Security researchers reported that a new ransomware has been using pen-testing/attack tools for a more targeted approach of getting installed on compromised systems.
Samas ransomware (MSIL/Samas), appeared during the last quarter when the researchers noticed that it requires additional tools and components during deployment. The process starts with a pen-testing/attack server which searches for potentially vulnerable networks to exploit, however, the result is encrypting users’ files.
According to the researcher Marianne Mallen, a publicly-available tool called “reGeorg” is used for tunneling, and the actors behind this ransomware use Java-based vulnerabilities, such as direct use of unsafe Java Native Interface (JNI) with outdated JBOSS server applications.
Also, the cyber criminals were observed using information-stealing malware, such as Derusbi/Bladabindi to gather login credentials. The stolen credentials are listed in a text file and used to deploy the malware and its components through the co called “PsExec”(psexec.exe) tool, which enables users to execute programs on remote systems.
The deployment is performed through batch files as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C, with the former also used to delete the shadow files through the vssadmin.exe tool. There is also a Trojan:MSIL/Samas.A malicious application involved.
Samas ransomware was created to search for specific file extensions which are related to backup files in the system and delete them. Besides, the Trojan makes sure that these files are not locked up by other processes by simply terminating these processes, therefore ensuring that it can perform its operation unhindered.
As soon as all of the initial operations were performed, the Samas ransomware starts encrypting files in the system using the AES algorithm. Then the ransomware renames the encrypted files with extension encrypted.RSA and displays a ransom note to inform victims what happened to their files, after which the ransomware also deletes itself from the system.
The security researchers noticed that, while the ransomware initially used WordPress as its decryption service site, it then moved to a more obscure Tor site in an attempt to remain anonymous.
Apart from the reputable anti-malware solutions for detecting this ransomware, users and system administrators can employ additional security measures to prevent infection. These include strong password policies, disabled Office macros, and always up-to-date software, which ensures that malicious programs cannot exploit already patched vulnerabilities.
