Security experts at Talos registered an unusual ransomware campaign which infects servers via unpatched vulnerabilities and spreads across the local network after that. The method of operation is currently uncommon for ransomware, while the primary target is already known – the healthcare industry.
Unlike most ransomware which is distributed through phishing campaigns, malvertising and exploit kits, this particular malware, dubbed Samas or Samsam, spreads through unpatched vulnerabilities in both Jboss application servers and REGeorg, an open-source framework which creates socks proxies. This means that users don’t have to perform an action like clicking on a malicious link to download the ransomware because hackers can trigger SamSam remotely through software flaws.
The cyber criminals behind the spam campaign are specifically scanning for and targeting machines containing these vulnerabilities. Despite the fact that SamSam ransomware campaigns are smaller in scope than the conventional CryptoLocker, Locky, or TeslaCrypt campaigns, they can also achieve much higher rates of successful infection.
“I think this is really the next evolution of the ransomware game,” stated the senior technical leader and security outreach manager Craig Williams.
Hackers are exploiting JBoss using an open-source exploit tool called JexBoss. After compromising the virtual machine, they can download SamSam which locks up files with RSA-2048 bit encryption. After that, the attackers can quietly move around the local network and encrypt other connected systems.
“We’ve seen cases where one of the victims buys an encryption key for one machine and then actually has to go back and buy it again for all the other machines,” said Williams, after discovering additional infections.
During this campaign, the hackers were gradually upping the ante, increasing their ransom demand as they test the market, from one bitcoin to 1.7 bitcoins. Or, for a real “bargain,” victimized organizations can buy in bulk, decrypting all of their infected systems at once for 22 bitcoins (approximately $9,160). By analyzing the various bitcoin wallets presented to victims in each observed SamSam sample, the security specialists calculated that the cybercriminals made about $115,000 from just its limited sample size.
According to Williams, the vulnerabilities affecting JBoss and REGeorg can be remedied with security patches, but users must first download them. Unfortunately, healthcare institutions can be lax with their cybersecurity policies because many “don’t have full-time [network] administrators or IT security staff, so things fall through the cracks.”
The security researchers have noted a rash of ransomeware attacks against hospitals lately, though Williams could not confirm whether any of them fell victim specifically to Samsam.
The experts also revealed that the hackers behind Samsam have not tried to cover up the ransomware activity on affected systems.
“That says two things,” said Williams. “One, they don’t fear law enforcement—they don’t think they’re going to be caught—and number two, they probably believe they have good crypto.”