SamSam Ransomware

The SamSam Ransomware is a file encryptor distributed through network-focused attacks, particularly against systems related to the healthcare industry. The SamSam Ransomware capitalizes on network account vulnerabilities for encrypting your system files and then selling a decryption process afterward. Relevant organizations should use strong account protection in combination with good anti-malware tools and regular updates for blocking the SamSam Ransomware attacks, rather than paying its ransom.

Why a Checkup with Sam Bills the Physician

The SamSam Ransomware, or Samas, is a file encryptor operating within an unusual campaign targeting businesses in the medical industry, such as hospitals. This campaign's signature feature is a strict reliance on network account-compromising install methods, which its perpetrators carry out through Jboss-specific hacking tools like JexBoss. Network accounts with weak passwords are leveraged as vulnerabilities granting the hackers access to the rest of the network, potentially infecting multiple machines with the SamSam Ransomware.

The SamSam Ransomware is installed without any attempts at code obfuscation such as archive storage, leading some sources to speculate that its authors are new to the 'business' of ransomware. Like the MakTub Ransomware, the SamSam Ransomware uses an offline-based encryption routine, without requiring a connection to a remote server for completing its data-encrypting attacks. The SamSam Ransomware uses a currently-unbreakable Rijndael-based AES encryption routine for modifying all target files, making their data uninterpretable.

Web pages are used for conducting transactions of ransoms that help victims pay the SamSam Ransomware's authors for a decryption solution. The SamSam Ransomware's ransom demands have raised over time, from one to one and a half Bitcoins (with USD values of four to six hundred). Malware experts note that these ransoms are per machine, although an even more expensive ransom option is available for decrypting entire networks.

Kicking Sam out of the Clinic

The SamSam Ransomware isn't designed with persistence in mind, and current versions of the SamSam Ransomware all self-delete after accomplishing their payloads. However, con artists can maintain network access to all affected systems, along with any administration privileges provided by the accounts they've previously cracked. Using the latest version of Jboss, overall strong network security, and active rotations of strong account passwords are some of the clearest means of preventing the SamSam Ransomware from spreading. Safe backups can help restore any encrypted data, overriding any need for a working decryptor.

The SamSam Ransomware's administrators have deleted recent Web page transaction information related to their campaigns actively. This activity could be an attempt to deny potential information to researchers, a simple restructuring of their ransom interface, or even an effort to cover any evidence that their Bitcoin-purchased decryptor doesn't provide full data recovery. Regardless of the truth, malware researchers encourage taking all possible solutions, before giving con artists money in return for an uncertain service.

The SamSam Ransomware's campaign targets Windows systems, with OSes earlier than Vista being ignored. However, machines not under attack still could be compromised by the associated account hacks, and victims should enforce proper security protocols.