Samas ransomware infects systems across a network and is targeting healthcare organisations
The FBI has reportedly appealed to businesses and IT experts for emergency help in combating a new form of ransomware that attempts to take over entire networks, and which tech security researchers have said is targeting healthcare organisations.
Investigators issued a confidential “Flash” advisory last week that said, “We need your help!”, according to Reuters, which said it obtained the advisory over the weekend.
The FBI warned that a ransomware system known as Samas.A, also called SamSam or MSIL, was using a hacking tool called JexBoss to automate the discovery of vulnerable JBOSS application servers across an organisation’s network, and to install Samas across all of them.
The technique is a step up in seriousness from previous ransomware variants, which typically infect a single system by tricking a user into opening a malicious email attachment, according to security experts. Ransomware encrypts files on a system in such a way that they can’t be recovered without a key provided by the attacker, which is given after the victim pays a set charge.
In the advisory, the FBI reportedly listed indicators that an organisation could have been hit by Samas.
“The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future,” the advisory said, according to Reuters.
The FBI asked organisations to contact its CYWATCH centre if they believe they have been attacked by Samas and appealed for information that might aid in the investigation.
On the rise
The warning is the latest indication of the growing seriousness of ransomware attacks, which have grown in frequency and sophistication after a number of organisations have paid attackers and received access to their files, showing that the technique can be lucrative.
The FBI reportedly distributed a more routine advisory on 18 February that reported on Samas’ activities, only giving technical details on the malware’s operation.
On Wednesday of last week Cisco’s Talos security unit reported that Samas was being used in a “widespread campaign” that was locking down large numbers of systems within organisations’ networks. The FBI’s appeal followed on Friday.
Cisco reported that Samas wasn’t launched using phishing attacks or exploit kits that focus on users, like most ransomware.
“This particular family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom,” Cisco said in its advisory. “A particular focus appears to have been placed on the healthcare industry.”
Cisco noted several cases in which victims had paid to unlock systems, and said the total amount in the Bitcoin wallets it had found being used by the attackers was at least $115,000 (£80,000), suggesting payment for the decryption of more than 200 systems. In one transaction Cisco found that a victim initially paid to decrypt one PC and followed up by paying for all affected PCs.
Initially Cisco saw 1 bitcoin (about £289) being demanded per affected computer, but later attackers were askign for 1.5 bitcoins.
“It is likely the malware author is trying to see how much people will pay for their files,” Cisco said. “They even added an option for bulk decryption of 22 bitcoin to decrypt all infected systems.”
Security experts have noted a sharp rise in ransomware attacks in recent weeks as attackers have found them a way to make quick profits.
“This technique is proving to be a profitable affair for criminals and will continue to be a threat to the Internet at large until a more profitable technique is discovered,” Cisco said.
The company advised organisations to use a multi-tier security apparatus that scans potential threats multiple times, and urged companies to back up important files.
Several hospitals have recently been hit by another ransomware variant called Locky, with the Hollywood Hospital paying bitcoins worth £12,010 last month to unlock its systems and a Kentucky hospital declaring an ‘Internal State of Emergency’ last week after an infection.
Earlier this month security researchers suggested a number of ransomware attacks may have been carried out by hackers who had previously been employed by the Chinese government and were looking for new ways to make money.
Are you a security pro? Try our quiz!