Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Samas Ransomware Uses Pen Testing Tools for Delivery

A fairly new piece of ransomware has been found leveraging pen-testing/attack tools for a more targeted approach of getting installed on compromised systems, Microsoft researchers warn.

A fairly new piece of ransomware has been found leveraging pen-testing/attack tools for a more targeted approach of getting installed on compromised systems, Microsoft researchers warn.

Dubbed Samas (Ransom:MSIL/Samas), this piece of malware surfaced in the last quarter when Microsoft’s researchers noticed that it requires additional tools and components during deployment. It all starts with a pen-testing/attack server that searches for potentially vulnerable networks to exploit, but the result is the same as with other ransomware: user’s files end up encrypted.

Microsoft Malware Protection Center (MMPC) researcher Marianne Mallen explains that a publicly-available tool called reGeorg is used for tunneling, and that the actors behind this ransomware also use Java-based vulnerabilities such as direct use of unsafe Java Native Interface (JNI) with outdated JBOSS server applications.

Additionally, the malware operators were observed using information-stealing malware such as Derusbi/Bladabindi to gather login credentials. All of the stolen credentials are listed in a text file, and used to deploy the malware and its components through a tool called PsExec (psexec.exe), which lets users execute programs on remote systems.

The deployment is performed through batch files detected by Microsoft as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C, with the former also used to delete the shadow files through the vssadmin.exe tool. There is also a Trojan:MSIL/Samas.A malicious application involved.

Ransom:MSIL/Samas Infection Process

 

Samas was designed to search for specific file extensions that are related to backup files in the system and delete them. The Trojan also makes sure that these files are not locked up by other processes by simply terminating these processes, thus ensuring that it can perform its operation unhindered.

Once all of the initial operations were performed, Microsoft explained, the Samas ransomware starts encrypting files in the system using the AES algorithm. It also renames the encrypted files with extension encrypted.RSA and displays a ransom note to inform users what happened to their files, after which the ransomware also deletes itself from the system.

Interestingly, researchers noticed that, while the ransomware initially used WordPress as its decryption service site, it then moved to a more obscure Tor site in an attempt to remain anonymous.

While reputable anti-malware solutions should be able to detect this threat, users and system administrators can employ additional security measures to prevent infection. These include strong password policies, disabled Office macros, and always up-to-date software, which ensures that malicious programs cannot exploit already patched vulnerabilities.

Ransomware has emerged as one of the biggest threats as of late, fueled by the proliferation of ransom-as-a-service (RaaS) and because it can provide cybercriminals with potentially high gains with minimal effort.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.