Microsoft researchers have warned that a new ransomware ‘Samas’
has been found leveraging pen-testing/attack tools for a more targeted approach
of getting installed on compromised systems.
Saman ransomware or also known as MSIL started its malicious
activities in the past quarter. It searches for potentially vulnerable networks
to exploit. This is how Samas ransomware infection chain operates, but the
result is the same as with other ransomware: user’s files end up encrypted.
Microsoft Malware Protection Center (MMPC) researcher,
Marianne Mallen explained that a publicly-available tool called reGeorg is used
for tunneling, and the actors behind this ransomware also use Java-based
vulnerabilities such as direct use of unsafe Java Native Interface (JNI) with
outdated JBOSS server applications.
The ransomware can use other information-stealing malware
(Derusbi/Bladabindi) to gather login credentials as well. All the stolen credentials are listed in a
text file and used to deploy the malware and its components through a third
party tool named psexec.exe through batch files that are detected as Trojan:
BAT/Samas. B and Trojan: BAT/Samas. C, which lets users execute programs on
remote systems.
Trojan:Bat/Samas.B also deletes the shadow files through the
vssadmin.exe tool. Trojan:MSIL/Samas.A usually takes the name of delfiletype.exe or sqlsrvtmg1.exe
and looks for certain file extensions that are related to backup files in the
system, it also makes sure they are not being locked up by other processes,
otherwise, the trojan terminates such processes and finally it deletes the
backup files.
Once all of the initial operations are performed, the
ransomware starts encrypting files in the system using the AES algorithm. It
also renames the encrypted files with extension encrypted.RSA and displays a
ransom note to inform users what happened to their files, after which the
ransomware also deletes itself from the system.
Researchers noticed that, while the ransomware initially
used WordPress as its decryption service site, it then moved to Tor site in an
attempt to remain anonymous.
Majority of the Samas ransomware infections were detected in
North America, and there were a few instances in Europe. However, some other
regions in Asia like India have also been affected by this ransomware.
To prevent this infection, Microsoft has suggested users and
administrators to use Windows Defender for Windows 10 as antimalware scanner, to
ensure that MAPS has been enabled, to put strong password policies, disable
Office macros, and always up-to-date software.
Ransomware has emerged as one of the biggest threats because
it has the ability to provide cybercriminals with potentially high gains with
minimal effort.