Normally new variants of ransomware families aren't particularly interesting.
SamSam, however, is different. Whereas most ransomware is automatically propagated, SamSam is deployed manually.
In addition, the group behind SamSam charges very high ransoms because of the amount of effort invested in their operations, which made them the subject of two FBI Alerts last year.
The attacks seem to peak in waves as campaigns distributing SamSam are executed. A notable recent example was a large hospital in New York that was hit with SamSam in April. The hospital declined to pay the attackers the $44,000 ransom demanded. It took a month for the hospital’s IT systems to be fully restored.
Defending against SamSam is more akin to a targeted attack than typical opportunistic ransomware. SamSam attackers are known to:
- Gain remote access through traditional attacks, such as JBoss exploits
- Deploy web-shells
- Connect to RDP over HTTP tunnels such as ReGeorg
- Run batch scripts to deploy the ransomware over machines
Earlier this week, ID Ransomware spotted new variants of the SamSam ransomware. A review of the code (which decompiles cleanly with the tool ILSpy) indicates that little has changed, apart from some updates to the ransom note:
The ransom the victims must pay to recover their files is hardcoded in the malware. In this attack, it was:
- 1.7 Bitcoin ($4,600) for a single machine
- 6 Bitcoins ($16,400) for half the machines (allowing the victim to confirm they can recover their files)
- 12 Bitcoins ($32,800) for all of the machines
The most recent attacks appear to have been successful, at least from the attackers point of view. The Bitcoin address associated with this week’s attacks has received $33,000.
These new variants remind us that we must remain vigilant and utilize the latest threat indicators to detected new strains of existing malware. You can view the associated indicators in OTX.
Update: Vallejo has published an analysis on this sample of SamSam.