Malware development, like any other area in IT, is a hotbed of innovation and change. At the forefront of this trend are the groups responsible for developing ransomware applications such as TeslaCrypt and Cryptowall. Today’s news brings two new challengers: Petya and Samsam. They both contain the usual tricks: 2048-bit encryption, reliance on the use of TOR and other “shadow Internet” locations for payment, and headaches for everyone involved. That said, they each have some new tricks not yet seen in the space. Let’s take a look.
Samsam is the more conventional of the two ransomware species we’re looking at today. It works at the file level to encrypt the targeted files. Additionally, it uses the Rijndael algorithm, a symmetric block cipher also known as the Advanced Encryption Standard, to generate a decryption key, which it then further encrypts with the RSA2048-bit algorithm commonly used by other malware of the type. Like others, the ransom must be paid via Bitcoin (BTC), and contact must be made in a certain way to receive the decryption key and tool from the authors.
That’s about where the similarities end, though. According to Cisco’s TALOS Security blog, Samsam does not appear to disguise its activities on the system, a behavior unlike many of its cousins in the ransomware space. Additionally, there is no centralized or distributed command and control (C2) server infrastructure for this variant. Once the malware is installed, it is completely and totally self-contained, a facet that seems to be a security measure in and of itself. It has also been observed to stop running on systems older than Windows Vista, possibly for compatibility reasons if nothing else.
The most troublesome aspect of this particular ransomware, though, is its transmission vector. It has been identified as being spread not through phishing campaigns or exploit kits like TeslaCrypt or Cryptowall have been, but rather through direct targeting of systems usng the JBoss application server architecture.
Samsam uses several old exploits that are part of the JexBoss vulnerability testing tool to both infiltrate a network and spread throughout it. While many of the flaws targeted have been patched, the malware seems to be aimed at medical facilities, many of which often deploy systems and then rarely follow up with timely patches for whatever reason. As potential victims continue to get wise to the most common vectors of email and drive-by distribution, some researchers are fearing this is the harbinger for a more stealthy approach by ransomware authors.
The current ransom for Samsam is 1.7 Bitcoin for each system encrypted or 22 Bitcoin for a full-site key.
In contrast to Samsam’s more traditional styling, the Petya ransomware skips all the “pleasantries” of file encryption and goes right for a killing blow. Petya’s target is a system’s Master File Table (MFT), the database housing information about every file and folder on a system. By encrypting the MFT, Petya actively prevents a system from booting properly until a ransom is paid. This also ensures data loss if any action is taken to repair the MFT without paying for the decryption key.
This particular ransomware variant is spread via email masquerading as being from an organization’s human resources department. Once the email’s attachment is executed, it inserts a fake record into the system’s Master Boot Record, then runs a fake CHKDSK process on the system’s next boot. This fake scan is the actual encryption process, the completion of which prompts the lockout screen for the malware. This lockout screen contains all the usual trappings (e.g. web address, ransom request, etc.).
The current ransom for Petya is 0.90294 Bitcoin (approximately $373).
Backup, Backup, Backup
These new iterations on the ransomware ideal only serve to further underline how important it is to make sure you have working backups of all critical data and applications. With a cloud backup solution, you can make sure data is safely stored in the cloud and far away from any pesky malware attacks that can hurt your clients. Check out The MSP’s Complete Guide to Cyber Security for more information on how you can protect yourself and your clients from these attacks.