Over the past days, the Federal Bureau of Investigation (FBI) together with the US-CERT and Canadian Cyber Incident Response Centre (CCIRC) have warned about the increase in incidents involving ransomware.
After the appearance of Locky ransomware in February, now there is a new variant of malicious threat called Samsam (also known as Samas or Samsa), which has been making a huge progress with its targeted approach for infecting systems.
Usually, ransomware infects systems via malicious downloaders distributed through drive-by-downloads and malicious spam emails. Being infected with a malicious downloader, it will download additional malware, which often includes crypto-ransomware.
The spam emails contain different file attachments, which if opened, they will download and run one of the many ransomware variants to start the encryption process. After the files have been encrypted, a ransom is demanded of the victim in order to decrypt the files.
Unlike many conventional ransomware, Samsam is not delivered via drive-by-downloads or emails. The cyber criminals behind Samsam use tools like Jexboss in order to identify unpatched servers running Red Hat’s JBoss enterprise products.
As soon as the hackers have infiltrated one of these servers by exploiting vulnerabilities in JBoss, they use other freely available tools and scripts to collect credentials and gather information on networked computers. After that they deploy their ransomware to encrypt files on these systems before demanding a ransom from the victim.
When compared to other ransomware Samsam is different from them, due to the fact that the hackers generate the RSA key pair themselves. Other crypto-ransomware will contact a command and control server, which will generate an RSA key pair and send the public key back in order to encrypt files on the infected virtual machines. While with Samsam, the hackers generate the key pair and upload the public key along with the ransomware to the targeted computers.
Samsam is a new variant in a growing number of variants of ransomware, however, unlike other threats, it reaches its targets by way of unpatched server-side software. For that reason, it is used by hackers who are directly targeting organizations in ransomware attacks. At the same time, the successful attacks signals a shift for cybercriminals as they aim to maximize profits by setting their sights on vulnerable businesses.