[BreachExchange] FBI and Microsoft Warn of Samas Ransomware

[Inga Goddijn]

http://news.softpedia.com/news/fbi-and-microsoft-warn-of-samas-ransomware-501914.shtml
<http://news.softpedia.com/editors/browse/catalin-cimpanu>

*A new ransomware family has inflicted enough damage for both Microsoft and
the FBI to take notice of its actions, the last issuing
<http://eweb.cabq.gov/CyberSecurity/Security%20Related%20Documents/FLASH%20MC-000068-MW.pdf>
a public statement announcement on its site to warn US companies of the
dangers surrounding this new threat.*

Detected under the names of *Samas*, Kazi, or RDN/Ransom, this ransomware
has been active only in the past three months, and besides infecting some
users in Europe, China, and India, it made its impact felt in the US more
than anywhere else.
Samas leverages JBOSS server software to spread to entire networks

According to the Microsoft Malware Protection Center
<https://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/>,
a Samas infection starts when the attacker detects a vulnerable server. The
FBI says that in most cases this is a server running an outdated JBOSS
installation, but Microsoft said that the attacker also used
vulnerabilities in Java applications because of direct use of unsafe JNI
<https://cwe.mitre.org/data/definitions/111.html> (Java Native Interface).

After cracking and penetrating a vulnerable server, the crooks behind Samas
are using an open-source tool called reGeorg to scan and then map internal
networks.

Attackers then deploy the Derusbi (Bladabindi) RAT on the infected server.
This trojan gathers login information for a network's clients, and then
using a third-party tool called psexec.exe and a series of batch scripts,
it will deploy the final payload, the Samas ransomware, to the internal
network's PCs.
Samas uses strong RSA-2048 encryption

Once on the victims' computers, Samas starts by searching for a series of
data files based on an internal list of targeted extensions, and then
encrypt their content with the RSA-2048 algorithm.

The "encrypted.RSA" extension is added at the end of each infected file,
and a ransom note is then left in every folder where the ransomware found
and locked files.

Samas asks 1 Bitcoin (~$400) per infected PC and requires payment via a
Tor-hosted website. Microsoft noted that during its early stages, criminals
used a WordPress.com blog to manage ransom payments, but then decided to go
for a service hosted on the Dark Web instead, probably fearing an easy
takedown from law enforcement.
* Samas ransomware simplified mode of operation*
[image: Samas ransomware simplified mode of operation]
<http://i1-news.softpedia-static.com/images/news2/fbi-and-microsoft-warn-of-samas-ransomware-501914-2.png>

Another Samas quirk is that the ransomware starts an app called
vssadmin.exe that deletes hard-drive shadow files and backup files, in an
attempt to make it harder for users to restore older versions of their data.
Samas is a new breed of ransomware

Compared to other ransomware families that leverage automated distribution
schemes that involve spam or malvertising, Samas takes an old-school
approach that requires lots of scanning and manual hacking.

A reason to go through such a complicated process is that attackers are
targeting private corporate networks, where they can find more valuable
data, which companies might be willing to pay to get back.

This leads us to believe that Samas was developed and is managed by people
with advanced technical skills and lots of experience in delivering and
managing ransomware campaigns.
* Samas ransomware ransom note*
[image: Samas ransomware ransom note]
<http://i1-news.softpedia-static.com/images/news2/fbi-and-microsoft-warn-of-samas-ransomware-501914-4.png>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160321/7d207831/attachment-0001.html>