Overview:
Samsam is the newest family of ransomware used in targeted attacks, and it’s set its sights on the healthcare industry. Typical ransomware victims are infected by clicking on a malicious link, opening an email attachment, or through malvertising. Samsam is unique because it infects servers directly using a vulnerability in Red Hat’s JBoss enterprise products. Hackers use tools like JexBoss, an open-source penetration testing tool, to identify unpatched vulnerabilities in JBoss application servers. Once a hacker infiltrates one of these servers, they install the Samsam ransomware onto the targeted Web application server and spread the ransomware client to Windows machines and encrypt their files.
As of the end of April 2016, Samsam has targeted a minimum of 58 organizations, including those in the healthcare industry. MedStar Health, a $5 billion healthcare provider that operates 10 hospitals and employs more than 30,000 people in the Maryland and Washington D.C. region, was one of the first to be attacked and received a ransom of 45 bitcoins or US$18,500. Although all operations were brought to screeching halt, MedStar was fortunate enough not to pay the ransom. Aside from MedStar, the Hollywood Presbyterian Medical Center in Los Angeles was hacked and paid just under $17,000 in ransom, two facilities in Germany were targeted, and the Methodist Hospital in Henderson, Kentucky was also attacked.
Analysis:
SentinelOne detects behaviors specifically used by ransomware. Namely, scanning the hard drive for files, and replacing them with encrypted versions. Given that Samsam is deployed using an exploit, SentinelOne would detect the attack during this phase. The Attack Storyline (image below) shows Samsam being detected by the SentinelOne agent (step 3), preventing files from being unrecoverable encrypted. Moreover, SentinelOne would detect any lateral movement from the compromised server to other servers on the network if an exploit were to be undetected. SentinelOne’s early detection would catch the Samsam attack before the ransomware is able to run. In addition, Samsam deletes shadow copies, making it impossible for an IT Administrator to revert files and applications to their unencrypted state. SentinelOne recognizes this behavior and detects when Samsam is trying to delete shadow copies. Should something slip through the cracks, SentinelOne is able to remediate infected files and roll them back to their pre-encrypted state.