Jboss and SamSam

SamSam (aka Samas or SamSa) is a newer variant of ransomware that is taking on a different approach to targeting and infecting unsuspecting users. SamSam is spreading through compromised Web Servers – many Schools and Healthcare industries that may not be able to afford a decent IT staff to stay up to date on the latest patches.

Ransomware in The Beginning

Ransomware is nothing new to security researchers. Traditionally, ransomware infections originated as targeted spam emails, then transformed into a fake Antivirus or some self proclaimed ‘cleaner’ that would slam you with alerts and prompt the user to make a payment to remove some sort of infection that more than likely didn’t exist to begin with. The traditional ransomware tricked a user into visiting a domain under the attackers control where drive-by downloads took place or used malicious attachments that when opened installed one or more variants of malware onto the target’s system. This malware eventually included some sort of ransomware variant like Locky, Cryptowall, TeslaCrypt, etc.

Ransomware Evolved

The threat is still growing, ransomware has gotten much more effective and scarier.  Variants such as CryptoLocker, which when activated on the target, encrypts files stored on local and mounted drives using RSA public key encryption rendering the system useless. CryptoWall, which is an even more destructive piece of malware. CryptoWall uses symmetric encryption, meaning there is no key to be retrieved forensically leaving the victim no choice but to pay cybercriminals money to retrieve their data. How much money? It is estimated that $325 million dollars was paid to cybercriminals by businesses and individuals in 2015 as a result of CryptoWall alone.

New Ransomware on The Block

The newer variant of ransomware, SamSam, is spreading through compromised Web Servers as a method of delivery or rather an entry point to gain a foothold in the network and spreading laterally stealing more credentials, and further infecting and encrypting more workstations and systems, holding them for ransom. SamSam is itself a compiled .NET binary whose original primary filename associated with the ransomware was samsam.exe, but has changed multiple times. Like other ransomware, SamSam encrypts files, steals credentials, and locks users out of their systems until a ransom is paid.

The cyber attackers spreading SamSam have been utilizing an old vulnerability (CVE-2010-0738 reported by Marc Schoenefeld) to gain entry to certain networks. CVE-2010-0738 is basically a server misconfiguration that only enforces session protection of the application when it comes to GET and POST Request methods only. Therefore, CVE-2010-0738 essentially allows unauthenticated users to upload malicious WAR files using other HTTP methods, mainly HEAD requests.

Cybercriminals have also been using the open source tool JexBoss to scan the web for vulnerable servers, basically scanning servers for a few known web paths that will allow the attacker to gain unauthenticated Remote Code execution on JBoss 4, 5, and 6.

It was newly discovered that there are more than 3.2 million systems running vulnerable versions of JBoss. Recently there has been numerous reports of infections from schools and healthcare organizations that are being asked to pay up to $20,000 in ransom due to JBoss. The FBI considers JBoss to be a big threat.

Conclusion

A ransomware threat is as real as it gets, but paying shouldn’t be an option, as paying the ransom does not guarantee that victims regain access to their locked files. Overall, SamSam and JBoss has been a serious threat that has stayed under the radar until lately. While the malware itself is not terribly sophisticated, the tactics used by the attackers make them both a serious threat.

About the Author

Joseph Hitchcock - Technical Security Evangelist

Joseph Hitchcock

Joe Hitchcock is passionate when it comes to system and network security. Initially self-taught, he started working as an independent contractor for small businesses doing malware removal and perimeter security. He started at Alert Logic in 2011 as a Network Security Analyst analyzing threat traffic and other attacks. Afterwards, he worked in Security Research and eventually became one of the first Analysts to work on the Web Security team supporting Web Security Manager WAF. He was eventually promoted to a Senior Web Security Analyst where his job included building custom security policies, researching new web attacks and adding custom signatures to better WSM detection.

Email Me | Articles: 10