In recent weeks, the Federal Bureau of Investigation (FBI) along with the US-CERT and Canadian Cyber Incident Response Centre (CCIRC) issued warnings about the increase in incidents involving ransomware. In February, we highlighted the rise of the Locky ransomware, one of the more prevalent ransomware variants in circulation. Over the last few months, Samsam (also known as Samas or Samsa), a new variant, has been making headlines with the targeted approach it uses to infect systems.
The targeted ransomware
The conventional ways ransomware infects systems is through malicious downloaders distributed through drive-by-downloads and malicious spam emails. Once a user is infected with a malicious downloader, it will download additional malware, which often includes crypto-ransomware. The malicious emails contain a variety of file attachments, which if opened, will download and run one of the many ransomware variants to start the encryption process. Once the files have been encrypted, a ransom payment is demanded of the victim in order to decrypt the files.
Samsam, unlike more conventional ransomware, is not delivered through drive-by-downloads or emails. Instead, the attackers behind Samsam use tools such as Jexboss to identify unpatched servers running Red Hat’s JBoss enterprise products. Once the attackers have successfully gained entry into one of these servers by exploiting vulnerabilities in JBoss, they use other freely available tools and scripts to collect credentials and gather information on networked computers. Then they deploy their ransomware to encrypt files on these systems before demanding a ransom.
The Samsam ransomware also differs from other ransomware due to the fact that the attackers generate the RSA key pair themselves. Most crypto-ransomware will contact a command and control server, which will generate an RSA key pair and send the public key back in order to encrypt files on the infected computers. With Samsam, the attackers generate the key pair and upload the public key along with the ransomware to the targeted computers.
Continued innovation in ransomware
Samsam is another variant in a growing number of variants of ransomware, but what sets it apart from other ransomware is how it reaches its intended targets by way of unpatched server-side software. The big takeaway here is the growing trend that criminals are directly targeting organizations in ransomware attacks. The success of these recent attacks signals a shift for cybercriminals as they seek to maximize profits by setting their sights on vulnerable businesses.
Ransomware has proven to be a viable business model, so it should come as no surprise that the techniques used have shifted beyond malicious spam and drive-by downloads to those more closely resembling targeted attacks.
Organizations that deploy JBoss enterprise products in their environments should check to see if they are running unpatched versions and if so, patch immediately. According to Red Hat, the following versions of JBoss and later versions are not affected:
- Red Hat JBoss Enterprise Application Platform (EAP) 5.0.1
- Red Hat JBoss Enterprise Application Platform (EAP) 4.3 CP08
- Red Hat JBoss Enterprise Application Platform (EAP) 4.2 CP09
- Red Hat JBoss SOA-Platform (SOA-P) 5.0.1
- Red Hat JBoss SOA-Platform (SOA-P) 4.3 CP03
Symantec and Norton products protect against Samsam and its various tools with the following detections: