Apache Struts Vulnerability Being Exploited by Attackers

March 14, 2017 | Jaime Blasco

Normally new variants of ransomware families aren't particularly interesting.

SamSam, however, is different. Whereas most ransomware is automatically propagated, SamSam is deployed manually.

In addition, the group behind SamSam charges very high ransoms because of the amount of effort invested in their operations, which made them the subject of two FBI Alerts last year.

The attacks seem to peak in waves as campaigns distributing SamSam are executed. A notable recent example was a large hospital in New York that was hit with SamSam in April. The hospital declined to pay the attackers the $44,000 ransom demanded. It took a month for the hospital’s IT systems to be fully restored.

Defending against SamSam is more akin to a targeted attack than typical opportunistic ransomware. SamSam attackers are known to:

  • Gain remote access through traditional attacks, such as JBoss exploits
  • Deploy web-shells
  • Connect to RDP over HTTP tunnels such as ReGeorg
  • Run batch scripts to deploy the ransomware over machines

Earlier this week, ID Ransomware spotted new variants of the SamSam ransomware. A review of the code (which decompiles cleanly with the tool ILSpy) indicates that little has changed, apart from some updates to the ransom note:

SamSam is a new ransomware variant

The ransom the victims must pay to recover their files is hardcoded in the malware. In this attack, it was:

  • 1.7 Bitcoin ($4,600) for a single machine
  • 6 Bitcoins ($16,400) for half the machines (allowing the victim to confirm they can recover their files)
  • 12 Bitcoins ($32,800) for all of the machines

The most recent attacks appear to have been successful, at least from the attackers point of view. The Bitcoin address associated with this week’s attacks has received $33,000.

samsam attacks are netting good money

samsam btc results

SamSam decryption requires space

These new variants remind us that we must remain vigilant and utilize the latest threat indicators to detected new strains of existing malware. You can view the associated indicators in OTX.

Update: Vallejo has published an analysis on this sample of SamSam.

Jaime Blasco

About the Author: Jaime Blasco

Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AT&T Cybersecurity, Jaime leads the Alien Labs Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AT&T, Jaime was Chief Scientist at AlienVault. Prior to that, he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.

Read more posts from Jaime Blasco ›

‹ BACK TO ALL BLOGS

Watch a demo ›
Get price Free trial