Wednesday, March 23, 2016

SamSam: The Doctor Will See You, After He Pays The Ransom

Cisco Talos is currently observing a widespread campaign leveraging the Samas/Samsam/MSIL.B/C ransomware variant. Unlike most ransomware, SamSam is not launched via user focused attack vectors, such as phishing campaigns and exploit kits. This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom. A particular focus appears to have been placed on the healthcare industry.

Adversaries have been seen leveraging JexBoss, an open source tool for testing and exploiting JBoss application servers, to gain a foothold in the network. Once they have access to the network they proceed to encrypt multiple Windows systems using SamSam.

Technical Details

Upon compromising the system the sample will launch a samsam.exe process which begins the process of encrypting files on the system.

SamSam encrypts various file types (see Appendix A) with Rijndael and then encrypts that key with RSA-2048 bit encryption. This makes the files unrecoverable unless the author made a mistake in the implementation of the encryption algorithms. The adversaries behind this ransomware variant did not go to any length to disguise or cover up the ransomware activity on the system. The samples Talos obtained are not packed and do not contain anti-debugging features.

One interesting note regarding the samples Talos has observed is that the malware will abort the encryption routine if the system is running a version of Microsoft Windows prior to Vista. This is likely done for compatibility reasons. Once installed on a machine there is no beaconing or C2 activity. The ransomware is effectively self sufficient.

Below is an example of the communication between a victim and the adversaries. Notice in this instance, the victim initially paid for one PC and followed up by paying for all affected PCs.


There were a couple of open source tools that were seen being leveraged by the adversaries. The first is JexBoss, which is a testing and exploitation framework for JBoss application servers. This was being used as an initial infection vector to gain a foothold in the network to spread the ransomware. The second is a component of REGeorg, tunnel.jsp. REGeorg is an open source framework to create socks proxies for communication. The file found in the samples is an unmodified version of the tunnel.jsp file that is being hosted by REGeorg (b963b8b8c5ca14c792d2d3c8df31ee058de67108350a66a65e811fd00c9a340c).

Payment Evolution

As we have monitored this activity, we have started to see changes in the amount and types of payment options available to victims. Initially, we saw a payment option of 1 bitcoin for each PC that has been infected.

Later we saw the price for a single system has been raised to 1.5 bitcoin. It is likely the malware author is trying to see how much people will pay for their files. They even added an option for bulk decryption of 22 bitcoin to decrypt all infected systems. Below is an example of this evolution.

Others have also seen samples that have increased the payment amount to 1.7 bitcoin per PC. During our investigation we found multiple different bitcoin wallets being presented to users, some had 0 bitcoins associated with them others had significant amounts. The total amount of bitcoin in these wallets was at least ~275 which equates to approximately $115,000 USD. Below is a screen capture showing some of the obfuscated wallets. They have been obfuscated so that we can continue to monitor their activity.





The SamSam campaign is unusual in that it is taking advantage of remote execution techniques instead of targeting the user. Adversaries are exploiting known vulnerabilities in unpatched JBoss servers before installing a web shell, identifying further network connected systems, and installing SamSam ransomware to encrypt files on these devices.

Ransomware continues to persist as a successful cyber crime business model. This technique is proving to be a profitable affair for criminals and will continue to be a threat to the internet at large until a more profitable technique is discovered. Protection against such threats is best achieved using a multi-tier defense architecture to ensure potential threats are scanned multiple times. However, one of the most effective ways to protect yourself is by simply backing up valuable files. Victims often find that at the moment when backups are most needed, they are either non-existent or incomplete. These lapses provide the revenue stream that is currently fueling the development of ransomware.


The following Snort rules and ClamAV signatures address this threat. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or

Snort Rules 

  • JBoss Server Vulnerabilities: 18794, 21516-21517, 24342-24343, 24642, 29909
  • Samsam Malware: 38279-38280, 38304

ClamAV Signature Family


Additional ways our customers can detect and block this threat are listed below.

Advanced Malware Protection (AMP) can detect and prevent the execution of this malware on targeted systems.

CWS or WSA web scanning can prevent access to malicious websites and detects malware used in these attacks.

Network Security encompasses IPS and NGFW. Both have up-to-date signatures to detect malicious network activity that this campaign exhibits.



Appendix A: File Types Targeted for Encryption

The following file types are targeted for encryption:

.3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ai, .ait, .al, .apj, .arw, .asf, .asm, .asp, .aspx, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkf, .bkp, .blend, .bpw, .c, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csv, .dac, .db, .db-journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flv, .fmb, .fpx, .fxg, .gray, .grey, .gry, .h, .hbk, .hpp, .htm, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .jar, .java, .jin, .jpe, .jpeg, .jpg, .jsp, .kbx, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mfw, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .nd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbl, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .php5, .phtml, .pl, .plc, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar,, .rat, .raw, .rdb, .rm, .rtf, .rw2, .rwl, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tib, .tif, .tlg, .txt, .vob, .wallet, .war, .wav, .wb2, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra, .yuv, .zip


  1. This comment has been removed by the author.

  2. wow ramsomware viruss.. very danger security in the world


Post a Comment