MSIL/Samas.A/Samsam

MSIL/Samas.A/Samsam targets vulnerable servers running outdated versions of JBoss, an open-source business application server program written in Java. The criminals behind this ransomware campaign use JexBoss, an open-source JBoss testing/exploitation tool, and reGeorg/tunnel.jsp, a tunneling tool, to gain entry into a targeted network by scanning for and exploiting these server-side vulnerabilities. Once inside, they deliver the payload using psexec.exe and launch samsam.exe to begin the encryption process. This variant deletes Shadow Volume Copies using vssadmin.exe and wipes free space on the hard drive to prevent file restoration. It also includes a tool that harvests details from Active Directory in order to identify targets, allowing it to move laterally through the network in order to encrypt files on endpoint machines. Files impacted by MSIL/Samas.A/Samsam will display encrypted.RSA as their extension. The healthcare sector has specifically been targeted by this variant.

Extensions appended to encrypted file names:
.notfoundrans, .VforVendetta, .theworldisyours, .helpmeencedfiles, .wowwhereismyfiles, .wowreadfordecryp, .powerfulldecrypt, .noproblemwedecfiles, .weareyourfriends, .otherinformation, .letmetrydecfiles, .encryptedyourfiles, .weencedufiles, filegofprencrp, .iaufkakfhsaraf, .cifgksaffsfyghd, .skjdthghh, .ransom, .breeding123, .mention9823, .suppose666, .moments2900, .country82000, .supported2017, .prosperous666, .disposed2017, .myrandsext2017, .loveransisgood

Ransom note file names:
006-READ-FOR-HELLPP.html, 000-PLEASE-READ-WE-HELP.html, CHECK-IT-HELP-FILES.html, 002-HAPPEN-ENCED-FILES.html, HELP-ME-ENCED-FILES.html, 001-PLS-DEC-MY-FILES.html, 000-WOW-READ-FOR-DECRYP.html, WE-MUST-DEC-FILES.html, 000-No-PROBLEM-WE-DEC-FILES.html, TRY-READ-ME-TO-DEC.html, 000-IF-YOU-WANT-DEC-FILES.html, LET-ME-TRY-DEC-FILES.html, 001-READ-FOR-DECRYPT-FILES.html, READ-READ-READ.html, PLEASE-READIT-IF_YOU-WANT.html, F_WANT_FILES_BACK_PLS_READ.html, READ_READ_DEC_FILES.html, 009-READ-FOR-DECCCC-FILESSS.html,  PLEASE-README-AFFECTED-FILES.html.

  • JBossDeveloper has more information about securing and hardening JBoss here.
  • Cisco Talos has additional information about MSIL/Samas.A/Samsam here.
  • The NJCCIC is not aware of any decryption tools available for MSIL/Samas.A/Samsam.

One example of the MSIL/Samas.A/Samsam variant. Image Source: TalosIntel