A ransomware campaign with an unusual method of propagation—infecting servers via unpatched vulnerabilities, then spreading laterally across the local network—experienced a marked spike in activity Monday, according to researchers at Talos. While the m.o. is uncommon for ransomware, the primary target is not: the healthcare industry.
Whereas most ransomware spreads through phishing campaigns, malvertising and exploit kits, this particular malware, dubbed Samas or Samsam, spreads through unpatched vulnerabilities in both JBoss application servers and REGeorg, an open-source framework that creates socks proxies. In other words, users don't have to perform an action like clicking on a malicious link to download the ransomware; instead, bad actors can trigger SamSam remotely through software flaws.
The adversaries behind this campaign are specifically scanning for and targeting machines containing these vulnerabilities. Consequently, SamSam ransomware campaigns are smaller in scope than conventional CryptoLocker, Locky or TeslaCrypt campaigns, but they also achieve much higher rates of successful infection.
“I think this is really the next evolution of the ransomware game,” said Craig Williams, senior technical leader and security outreach manager at Talos, the research division of Cisco, in an interview with SCMagazine.com.
Cybercriminals are exploiting JBoss using an open-source exploit tool called JexBoss. Once they've compromised a machine, they can download SamSam which locks up files with RSA-2048 bit encryption. The hackers can then silently move around the local network, laterally, and encrypt other connected systems as well. “We've seen cases where one of the victims buys an encryption key for one machine and then actually has to go back and buy it again for all the other machines,” after discovering additional infections, explained Williams.
While monitoring this campaign, Talos has observed the hackers gradually upping the ante, increasing their ransom demand as they test the market, from one bitcoin to 1.7 bitcoins. Or, for a real “bargain,” victimized organizations can buy in bulk, decrypting all of their infected systems at once for 22 bitcoins (approximately $9,160). By analyzing the various bitcoin wallets presented to victims in each observed SamSam sample, Talos calculated that the cybercriminals made about $115,000 from just its limited sample size.
Williams noted that the vulnerabilities affecting JBoss and REGeorg can be remedied with security patches, but users must first download them. Unfortunately, healthcare institutions can be lax with their cybersecurity policies because many “don't have full-time [network] administrators or IT security staff, so things fall through the cracks.”
IT security experts have noted a rash of ransomware attacks against hospitals of late, though Williams was unable to elaborate if any of them fell victim specifically to Samsam.
Talo also notes in its security advisory that the culprits behind Samsam have not taken steps to cover up the ransomware activity on affected systems. “That says two things,” said Williams. “One, they don't fear law enforcement—they don't think they're going to be caught—and number two, they probably believe they have good crypto.”