A campaign involving the SamSam Ransomware, an encryption ransomware Trojan, is focused in attacking hospitals. The SamSam Ransomware, or Samas/the SamSam/MSIL.B/C ransomware, is being distributed using corrupted servers, which are then used to compromise other computers on a network. This means that the SamSam Ransomware uses a different attack vector than most ransomware Trojans that are distributed currently using phishing email messages and similar techniques. The majority of the SamSam Ransomware attacks seem to be focused on infecting computers in the healthcare industry.
The SamSam Ransomware Can Endanger a Network Quickly
JexBoss is being used to spread the SamSam Ransomware. JexBoss is an open source tool that is used to test JBoss application servers. Using this tool, third parties can gain a foothold in a network and start spreading the SamSam Ransomware. Through an affected network, the SamSam Ransomware can be spread to multiple computers using the Windows operating system. Once a computer has been attacked by the SamSam Ransomware, its executable file will run and begin encrypting files on the victim's computer. The SamSam Ransomware uses Rijndael in its encryption, then encrypts the key using RSA-2048 encryption. This makes it impossible for the victim or malware researchers to recover the encrypted files since the decryption key becomes inaccessible. The following are the file extensions that the SamSam Ransomware targets in its attack:
.3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ai, .ait, .al, .apj, .arw, .asf, .asm, .asp, .aspx, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkf, .bkp, .blend, .bpw, .c, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csv, .dac, .db, .db-journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flv, .fmb, .fpx, .fxg, .gray, .grey, .gry, .h, .hbk, .hpp, .htm, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .jar, .java, .jin, .jpe, .jpeg, .jpg, .jsp, .kbx, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mfw, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .nd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbl, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .php5, .phtml, .pl, .plc, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar,, .rat, .raw, .rdb, .rm, .rtf, .rw2, .rwl, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tib, .tif, .tlg, .txt, .vob, .wallet, .war, .wav, .wb2, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra, .yuv, .zip.
The SamSam Ransomware will not encrypt the victims' files if the affected operating system is prior to Windows Vista. The SamSam Ransomware is self-sufficient and does not require additional downloads to carry out its attack. One of the most threatening aspects of attacks like the SamSam Ransomware is that this threat can spread quickly throughout a network. Rather than affecting a single computer through a phishing email, the SamSam Ransomware can be used to affect the activities of a corporation or government office severely. In this case, the SamSam Ransomware is being used on targets in the healthcare sector.
The Ransom Demanded by the SamSam Ransomware May Reach Astronomical Sums
The SamSam Ransomware has increased the amount of payment from victims steadily. Currently, the SamSam Ransomware demands a ransom of 1.5 BitCoin per infected system, or 22 BitCoin to decrypt all computers that have been infected. Some of these have been raised up to 1.7 BitCoin per computer. Malware analysts have monitored some BitCoin wallets connected to these attacks, noticing that they have received payments in hundreds of thousands of dollars, making the SamSam Ransomware attacks especially lucrative for the people involved.