FBI and Microsoft Warn of Samas Ransomware

Share this…

Ransomware targets corporate networks, not just lone users. A new ransomware family has inflicted enough damage for both Microsoft and the FBI to take notice of its actions, the last issuing a public statement announcement on its site to warn US companies of the dangers surrounding this new threat.

Detected under the names of Samas, Kazi, or RDN/Ransom, this ransomware has been active only in the past three months, and besides infecting some users in Europe, China, and India, it made its impact felt in the US more than anywhere else.

Samas leverages JBOSS server software to spread to entire networks

According to the Microsoft Malware Protection Center, a Samas infection starts when the attacker detects a vulnerable server. The FBI says that in most cases this is a server running an outdated JBOSS installation, but Microsoft said that the attacker also used vulnerabilities in Java applications because of direct use of unsafe JNI (Java Native Interface).

After cracking and penetrating a vulnerable server, the crooks behind Samas are using an open-source tool called reGeorg to scan and then map internal networks.

Attackers then deploy the Derusbi (Bladabindi) RAT on the infected server. This trojan gathers login information for a network’s clients, and then using a third-party tool called psexec.exe and a series of batch scripts, it will deploy the final payload, the Samas ransomware, to the internal network’s PCs.

Samas uses strong RSA-2048 encryption

Once on the victims’ computers, Samas starts by searching for a series of data files based on an internal list of targeted extensions, and then encrypt their content with the RSA-2048 algorithm.

The “encrypted.RSA” extension is added at the end of each infected file, and a ransom note is then left in every folder where the ransomware found and locked files.

Samas asks 1 Bitcoin (~$400) per infected PC and requires payment via a Tor-hosted website. Microsoft noted that during its early stages, criminals used a WordPress.com blog to manage ransom payments, but then decided to go for a service hosted on the Dark Web instead, probably fearing an easy takedown from law enforcement.

Samas ransomware simplified mode of operation

Samas ransomware simplified mode of operation

Another Samas quirk is that the ransomware starts an app called vssadmin.exe that deletes hard-drive shadow files and backup files, in an attempt to make it harder for users to restore older versions of their data.

Samas is a new breed of ransomware

Compared to other ransomware families that leverage automated distribution schemes that involve spam or malvertising, Samas takes an old-school approach that requires lots of scanning and manual hacking.

A reason to go through such a complicated process is that attackers are targeting private corporate networks, where they can find more valuable data, which companies might be willing to pay to get back.

This leads us to believe that Samas was developed and is managed by people with advanced technical skills and lots of experience in delivering and managing ransomware campaigns.

Samas ransomware ransom note

Samas ransomware ransom note