MSIL/Samas.A/Samsam targets vulnerable servers running outdated versions of JBoss, an open-source business application server program written in Java. The criminals behind this ransomware campaign use JexBoss, an open-source JBoss testing/exploitation tool, and reGeorg/tunnel.jsp, a tunneling tool, to gain entry into a targeted network by scanning for and exploiting these server-side vulnerabilities. Once inside, they deliver the payload using psexec.exe and launch samsam.exe to begin the encryption process. This variant deletes Shadow Volume Copies using vssadmin.exe and wipes free space on the hard drive to prevent file restoration. It also includes a tool that harvests details from Active Directory in order to identify targets, allowing it to move laterally through the network in order to encrypt files on endpoint machines. Files impacted by MSIL/Samas.A/Samsam will display encrypted.RSA as their extension. The healthcare sector has specifically been targeted by this variant.
Extensions appended to encrypted file names:
.notfoundrans, .VforVendetta, .theworldisyours, .helpmeencedfiles, .wowwhereismyfiles, .wowreadfordecryp, .powerfulldecrypt, .noproblemwedecfiles, .weareyourfriends, .otherinformation, .letmetrydecfiles, .encryptedyourfiles, .weencedufiles, filegofprencrp, .iaufkakfhsaraf, .cifgksaffsfyghd, .skjdthghh, .ransom, .breeding123, .mention9823, .suppose666, .moments2900, .country82000
Ransom note file names:
006-READ-FOR-HELLPP.html, 000-PLEASE-READ-WE-HELP.html, CHECK-IT-HELP-FILES.html, 002-HAPPEN-ENCED-FILES.html, HELP-ME-ENCED-FILES.html, 001-PLS-DEC-MY-FILES.html, 000-WOW-READ-FOR-DECRYP.html, WE-MUST-DEC-FILES.html, 000-No-PROBLEM-WE-DEC-FILES.html, TRY-READ-ME-TO-DEC.html, 000-IF-YOU-WANT-DEC-FILES.html, LET-ME-TRY-DEC-FILES.html, 001-READ-FOR-DECRYPT-FILES.html, READ-READ-READ.html, PLEASE-READIT-IF_YOU-WANT.html, F_WANT_FILES_BACK_PLS_READ.html, READ_READ_DEC_FILES.html, 009-READ-FOR-DECCCC-FILESSS.html