Connect with us

Hi, what are you looking for?



Samas Ransomware Uses Pen Testing Tools for Delivery

A fairly new piece of ransomware has been found leveraging pen-testing/attack tools for a more targeted approach of getting installed on compromised systems, Microsoft researchers warn.

A fairly new piece of ransomware has been found leveraging pen-testing/attack tools for a more targeted approach of getting installed on compromised systems, Microsoft researchers warn.

Dubbed Samas (Ransom:MSIL/Samas), this piece of malware surfaced in the last quarter when Microsoft’s researchers noticed that it requires additional tools and components during deployment. It all starts with a pen-testing/attack server that searches for potentially vulnerable networks to exploit, but the result is the same as with other ransomware: user’s files end up encrypted.

Microsoft Malware Protection Center (MMPC) researcher Marianne Mallen explains that a publicly-available tool called reGeorg is used for tunneling, and that the actors behind this ransomware also use Java-based vulnerabilities such as direct use of unsafe Java Native Interface (JNI) with outdated JBOSS server applications.

Additionally, the malware operators were observed using information-stealing malware such as Derusbi/Bladabindi to gather login credentials. All of the stolen credentials are listed in a text file, and used to deploy the malware and its components through a tool called PsExec (psexec.exe), which lets users execute programs on remote systems.

The deployment is performed through batch files detected by Microsoft as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C, with the former also used to delete the shadow files through the vssadmin.exe tool. There is also a Trojan:MSIL/Samas.A malicious application involved.

Ransom:MSIL/Samas Infection Process


Samas was designed to search for specific file extensions that are related to backup files in the system and delete them. The Trojan also makes sure that these files are not locked up by other processes by simply terminating these processes, thus ensuring that it can perform its operation unhindered.

Advertisement. Scroll to continue reading.

Once all of the initial operations were performed, Microsoft explained, the Samas ransomware starts encrypting files in the system using the AES algorithm. It also renames the encrypted files with extension encrypted.RSA and displays a ransom note to inform users what happened to their files, after which the ransomware also deletes itself from the system.

Interestingly, researchers noticed that, while the ransomware initially used WordPress as its decryption service site, it then moved to a more obscure Tor site in an attempt to remain anonymous.

While reputable anti-malware solutions should be able to detect this threat, users and system administrators can employ additional security measures to prevent infection. These include strong password policies, disabled Office macros, and always up-to-date software, which ensures that malicious programs cannot exploit already patched vulnerabilities.

Ransomware has emerged as one of the biggest threats as of late, fueled by the proliferation of ransom-as-a-service (RaaS) and because it can provide cybercriminals with potentially high gains with minimal effort.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...