Hackers are escalating recent attacks against hospitals with new strains of server-side ransomware dubbed SamSam and Maktub. Unlike traditional ransomware samples that rely on gullible users to click on a malware-infected email attachment or visit a booby-trapped website, this new breed of ransomware is installed once attackers have exploited unpatched server vulnerabilities. To date, only hospitals have been targeted with these two malware samples.
“In the past, ransomware like CryptoLocker and TeslaCrypt required someone to open an email attachment or visit a site,” said Craig Williams, senior technical leader for Cisco Talos. “SamSam targets vulnerable servers. Those are always up and always potentially vulnerable.”
This new method of attack, security experts say, is highly effective at going undetected and uniquely suited to cause maximum damage to a company’s internal infrastructure.
According to Williams, SamSam is able to penetrate a hospital’s network by exploiting known vulnerabilities in a company’s unpatched servers. Once the attackers gain access to the network, Williams said, hackers identify key data systems to encrypt. “This isn’t like Jim in accounting having his laptop encrypted by ransomware. SamSam targets the servers and systems that run a hospital,” Williams said.
“The SamSam campaign is unusual in that it is taking advantage of remote execution techniques instead of targeting the user,” wrote Cisco Talos in its analysis of SamSam. “Adversaries are exploiting known vulnerabilities in unpatched JBoss servers before installing a web shell, identifying further network connected systems, and installing SamSam ransomware to encrypt files on these devices.”
Cisco Talos explains it has documented attackers leveraging JexBoss, an open source tool for testing and exploiting JBoss application servers. This allows attackers to gain access to a hospital’s network. “Once they have access to the network they proceed to encrypt multiple Windows systems using SamSam.”
Security experts say hospitals are being singled because of a perception they have weak security and rely on antiquated technology. “If you are a hospital and you are not worried about SamSam, you should be,” Williams said. “The odds are good if you’re a hospital the bad guys have already scanned your network and have you on one of their lists.”
But, Williams suspects, hospitals are just the first of what will be many different types of targeted industries.
Security firm Check Point said both SamSam and Maktub are unique in that don’t rely on your typical hacker command and control backend. Instead, both ransomware variants encrypt data and instead link those being extorted to visit WordPress websites and reachable only via Tor.
Cisco Talos said that unlike other types of ransomware, victims are able to communicate with those perpetrating the ransom. The dialogue allows attackers and victims to negotiate things such as paying for bulk unencrypting of systems. In one example, Cisco Talos observed pricing that started out at 1 Bitcoin to unlock one system or bulk pricing deals that would allow victims to pay a reduced price for unencrypting multiple systems at a time.
“Offline encryption is rare among ransomware,” said Gadi Naveh, security researcher at Check Point. He said both SamSam and Maktub encrypt the files without any need to communicate with a command and control server. Maktub stands out in that it also compresses data it encrypts first in an attempt to speed up the encryption process, Check Point wrote in a blog post regarding the ransomware.
Both researchers agree that attackers behind SamSam and Marktub appear relatively new to extorting money for ransomware. Williams said SamSam is pricing its ransomware attacks relatively low and scaling up slowly in an attempt to see how much victims will pay.
“This is a evolution of ransomware from what we have seen over the last year,” Naveh said. “We have gone from indiscriminate targeting of individuals via email to entire industries targeted via unpatched server vulnerabilities. I would suspect we will see a lot more of this type of ransomware in the months ahead.”