SamSam Ransomware

As one of the newer additions to an ever-proliferating list of ransomware variants, SamSam has been making headlines for repeatedly targeting the healthcare industry by attacking unpatched vulnerable JBoss web servers. SamSam differs fundamentally from conventional user-side ransomware variants, which are spread when victims to click on phishing email links or visit websites that have been comprised by exploit kits. As a server-side ransomware threat, SamSam takes a less opportunistic and more targeted approach.   

How the Malware Is Installed

To leverage SamSam in an attack, cybercriminals begin by using the open-source JexBoss Exploit Tool to identify and exploit vulnerabilities in application servers running on Red Hat JBoss Middleware. Once the server has been compromised, the attackers use information-stealing malware to gather credentials and other information about the host network, facilitating lateral expansion across the network. Next, the attackers generate an RSA key pair and upload the public the public key and the ransomware itself onto the compromised systems using batch scripts, deleting volume shadow copies in order to avoid detection. 

Once uploaded, the SamSam-packed Portable Executable (PE) files are deployed alongside other tools such as PsExec, a light-weight remote access tool that allows remote users to execute processes, to one or more remote systems. After deployment, the ransomware searches for and encrypts a near-exhaustive list of file types (see the entire list of file types below) while the sqlrvtmg1.exe is deployed via batch file to search for certain locked files. Once found, these locked files are mapped to the process they’re currently running under, and that process is killed so that none of these files remain locked during the encryption process. Any backups or backup directories related to the process are also deleted. Disabling System Restore, Regedit, error reporting, etc. are fairly common in modern ransomware/malware.

What is SamSam 

SamSam avoids detection by disabling built-in Windows protection mechanisms, such as System Restore, Safe Mode, System Recovery, and Windows Error Reporting, in addition to killing any attempts to run Task Manager and other tools such as the Microsoft Registry Editor. Once SamSam encryption is complete, the SamSam ransomware deletes itself, leaving behind a “help_decrypt_your_files.html” file, which provides the victim with instructions for restoring access to their files in exchange for a ransom.  

Malware Prevention

Though ransomware is on the rise, there is still some proactive steps one can take. From a security perspective there are many ways to keep your network secure and prevent yourself from becoming the victim of the latest ransomware threat. For perimeter security, Intrusion Detection and Intrusion Prevention Systems are a must. Intrusion Detection Systems and system logs should be actively monitored so that if an infection is detected, the box can be isolated and restored.

In addition, with cyber criminals expanding their scope of spreading SamSam, you will also want to stay up to date on security patches. This is important even if you are not running an out of date JBoss servers. The patches for the JBoss vulnerability that SamSam exploits were released years ago, which means that victims/organizations can prevent attacks if they keep their JBoss deployments up to date.

With the continued proliferation of ransomware variants, there’s no such thing as being too careful. Running regular vulnerability scanning of all servers is highly recommended. Then follow with the mitigation of server-side vulnerabilities, regardless of their obscurity.

Technical Details

SamSam encrypts files with the following extensions:

.3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ai, .ait, .al, .apj, .arw, .asf, .asm, .asp, .aspx, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkf, .bkp, .blend, .bpw, .c, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csv, .dac, .db, .db-journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flv, .fmb, .fpx, .fxg, .gray, .grey, .gry, .h, .hbk, .hpp, .htm, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .jar, .java, .jin, .jpe, .jpeg, .jpg, .jsp, .kbx, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mfw, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .nd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbl, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .php5, .phtml, .pl, .plc, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar,, .rat, .raw, .rdb, .rm, .rtf, .rw2, .rwl, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tib, .tif, .tlg, .txt, .vob, .wallet, .war, .wav, .wb2, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra, .yuv, .zip

About the Author

Joseph Hitchcock - Technical Security Evangelist

Joseph Hitchcock

Joe Hitchcock is passionate when it comes to system and network security. Initially self-taught, he started working as an independent contractor for small businesses doing malware removal and perimeter security. He started at Alert Logic in 2011 as a Network Security Analyst analyzing threat traffic and other attacks. Afterwards, he worked in Security Research and eventually became one of the first Analysts to work on the Web Security team supporting Web Security Manager WAF. He was eventually promoted to a Senior Web Security Analyst where his job included building custom security policies, researching new web attacks and adding custom signatures to better WSM detection.

Email Me | More Posts by Joseph Hitchcock