Posted by Robert Vamosi on March 29, 2016
Ransomware is malicious software that encrypts data until a ransom is paid. Recently there has been a spate of attacks against healthcare organizations. On Monday, Washington-based Medstar Health had to shut down operations because of ransomware.
One variation of ransomware, Samsam, stands out because it skips the user and focuses directly on the network under attack.
The SamSam ransomware campaign, being used against some healthcare providers, is unusual because it takes advantage of remote execution techniques instead of targeting the user. A report from Cisco Talos states that unlike other ransomware, Samsam does not rely upon user initiated actions, such as clicking on spam. That means it doesn’t have to spearphish its targets.
Instead Samsam leverages software vulnerabilities within the hospital network. It leverages JexBoss, which is a testing and exploitation framework for JBoss application server. Once a server has been compromised, the malware moves through the network to compromise more systems, ransoming each.
Samsam uses RSA-2048 bit encryption, making it virtually impossible to decrypt the data. It also doesn’t phone home; the ransomware is entirely self-contained.
Ransom to decrypt the compromised data has varied, according to Cisco, starting at 1 bitcoin per infected PC, rising to 1.5 bitcoin or even 1.7 bitcoin per PC, with bulk decryption for all infected systems at 22 bitcoin. One bitcoin is currently worth $412 (US).
At this time it remains unclear whether the Medstar Health ransomware is Samsam or some other.