Samas Exploiting Vulnerable Hospital Servers
Ransomware continues to proliferate the industry, unfortunately. There is no wonder of the phenomena. From the attacker’s view, this method provides for an increase in ROI with a significant ease of use. This method and the associated tools are not complicated to use and implement. All it takes is one user to infect the system and encrypt the files and folders. A new tool to accomplish this, brought to the wild, was Samasaka MSIL and Samsam. This continues the ransomware-as-a-service (RaaS) trend that has been noted across many industries, but focusing on a limited number of targets.
The usual format for the attack is for the ransomware to look to the nodes. The attack vector has been to attack each node individually. The attacker would then find another node or set of nodes and launch another attack. Samas is unique in its mode of attack. Instead of looking at individual or sets of individuals to infect in an organization, this looks to another target that has access to the nodes. The Samas attacks servers with specific vulnerable servers. After the server is infected, it reaches out to the other nodes and encrypts these. The end effect is for the network in its entirety to be encrypted.
Targets
With this example of malware, the target has been the hospitals. These are data dependent enterprises. The staff (e.g. doctors, nurses, physician assistants-certified, billing, and many others) use these very minute of the day through the hospital to treat the patients. In a worst case scenario, the staff may print off hard copies of the patient files to use. This however is highly dependent on the back-ups being done quite regularly, the back-ups being done, and these having absolute integrity. Any lag in the recording from doctor’s orders, nurse’s notes, or other actions could prove devastating.
The hospitals are not like a manufacturing firm. The line manufacturing air fresheners can continue to make air fresheners for a limited amount of time, but can continue. With a patient, a double dose of a medication or a dose continuing at a predetermined rate when it should not have. The target may be a single hospital or a series of connected hospitals. The hospitals may operate under the same name or possibly connected with a purchasing program used for discounts. Most of the infections have been located in North America. There have, however been a limited number of infections in Europe, Asia, and India.
Delivery
The new method of delivery for the malware are the servers. These may present vulnerabilities when the configuration is not done appropriately or correctly. These may also not be patched or updated. These vulnerabilities may be exploited to spread the ransomware to Window machines on the network. Here, the ransomware looks particularly for out of date versions of JBoss.
Samas is delivered using JexBoss to automate the infection process. This works well to push the attack and install ransomware on the network. This has increased the proliferation of the malware. The malware also uses Ps Exec (psexec.exe) for the encryption. After the infection, the payload deployment is managed with BAT/Samas.B, BAT/Samas.C, and BAT/Samas.A. Each file has its own function and use. For instance, B was coded to delete the shadow files. A functions to delete certain back-ups in the system.
The malware is designed to encrypt files, using RSA-2048 bit encryption. This uses an algorithm to make the target server and node files not readable or usable by manipulating the data. The files are still present, however the key is needed to decrypt the file and make it usable. Without this key it would take several lifetimes of constant work to manually decrypt the file, which is not a viable solution. The decrypt key is completely available-for a price. This is why the malware is deployed. Initially the decrypt key was for sale with the price of one bitcoin for a single key. This has increased to 1.5-1.7 bit coins for a single system. A large number of nodes decryption key is sold at a discount of 22 bit coins.
Summary
There was bound to be a change with ransomware. Granted this has been exceptionally successful for the attackers and their business model. The attackers recognized what so many others have not been able to the attack cannot maintain a static nature. To ensure the attack continued to evolve, the attackers directed the coders to alter the point on the target from the nodes to the servers, and using this infection to reach the nodes. This has been shown to be a rather interesting twist.
Resources
Biasini, N (2016, March 23). Samsam: The doctor will see you, after he pays the ransom. Retrieved from http://blog.talosintel.com/2016/03/samsam-rnasomware.html
Gupto, A. (2016, March 18). Samas changes the way a ransomware operates. Retrieved from http://news.thewindowsclub.com/samas-ransomware-changes-way-ransomware-operates-82755/
Reuters. (2016, March 28). FBI wants help from U.S. businesses, security experts fight new ransomware. Retrieved from http://fortune.com/2016/03/28/fbi-ransomware-extortion-hackers/
Security Week. (2016, March 18). Samas ransomware ups pen testing tools for delivery. Retrieved from http://www.securityweek.com/samas-ransomware-uses-pen-testing-tools-delivery
US-CERT. (2016, March 31). Alert (TA16-091A): ransomware and recent variants. Retrieved from https://www.us-cert.gov/ncas/alerts/TA16-091A
Zorz, Z. (2016, March 31). Samas ransomware enters hospitals through vulnerable servers. Retrieved from https://www.helpnetsecurity.com/2016/03/31/samas-ransomware-enters-hospitals/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.