Microsoft researchers have warned that a new ransomware ‘Samas’ has been found leveraging pen-testing/attack tools for a more targeted approach of getting installed on compromised systems.
Saman ransomware or also known as MSIL started its malicious activities in the past quarter. It searches for potentially vulnerable networks to exploit. This is how Samas ransomware infection chain operates, but the result is the same as with other ransomware: user’s files end up encrypted.
Microsoft Malware Protection Center (MMPC) researcher, Marianne Mallen explained that a publicly-available tool called reGeorg is used for tunneling, and the actors behind this ransomware also use Java-based vulnerabilities such as direct use of unsafe Java Native Interface (JNI) with outdated JBOSS server applications.
The ransomware can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well. All the stolen credentials are listed in a text file and used to deploy the malware and its components through a third party tool named psexec.exe through batch files that are detected as Trojan: BAT/Samas. B and Trojan: BAT/Samas. C, which lets users execute programs on remote systems.
Trojan:Bat/Samas.B also deletes the shadow files through the vssadmin.exe tool. Trojan:MSIL/Samas.A usually takes the name of delfiletype.exe or sqlsrvtmg1.exe and looks for certain file extensions that are related to backup files in the system, it also makes sure they are not being locked up by other processes, otherwise, the trojan terminates such processes and finally it deletes the backup files.
Once all of the initial operations are performed, the ransomware starts encrypting files in the system using the AES algorithm. It also renames the encrypted files with extension encrypted.RSA and displays a ransom note to inform users what happened to their files, after which the ransomware also deletes itself from the system.
Researchers noticed that, while the ransomware initially used WordPress as its decryption service site, it then moved to Tor site in an attempt to remain anonymous.
Majority of the Samas ransomware infections were detected in North America, and there were a few instances in Europe. However, some other regions in Asia like India have also been affected by this ransomware.
To prevent this infection, Microsoft has suggested users and administrators to use Windows Defender for Windows 10 as antimalware scanner, to ensure that MAPS has been enabled, to put strong password policies, disable Office macros, and always up-to-date software.
Ransomware has emerged as one of the biggest threats because it has the ability to provide cybercriminals with potentially high gains with minimal effort.