Samas ransomware enters hospitals through vulnerable servers

There’s hardly a day anymore that we don’t hear about a hospital being hit with ransomware. But while most have been infected via phishing emails carrying or linking to the malware, the latest incidents show a new modus operandi when it comes to malware delivery: compromising servers by leveraging vulnerabilities and spreading the ransomware to Windows machines from there.

Samas ransomware infection workflow. Source: Microsoft

Latest (public) victim

An example of this attack is that which hit US-based not-for-profit healthcare organization MedStar Health, which operates ten hospitals in the Baltimore–Washington area.

According to Ars Technica, the MedStar Union Memorial Hospital in Baltimore is at the center of the attack, and the ransomware has been spread to other MedStar hospitals in Maryland.

The organization announced the attack on March 28, when it said that its IT system was affected by a virus that prevents certain users from logging-in to the system.

“MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization,” they reassured, and in the coming days they repeatedly noted that there was “no evidence that patient information has been compromised or stolen in any way.” They also claimed that the quality of patient care was not affected.

The malware

Curiously enough, MedStar never once said that the malware in question is ransomware, but The Baltimore Sun reporters discovered that it’s Samas (aka MSIL, aka Samsam).

This is the same ransomware that the FBI has been warning US businesses about through several alerts sent out in the last two months or so.

“The February message contained some technicals details but did not call for help. It said that MSIL/Samas.A targets servers running out-of-date versions of a type of business software known as JBOSS,” Reuters reported.

“In its latest report, the FBI said that investigators have since found that hackers are using a software tool dubbed JexBoss to automate discovery of vulnerable JBOSS systems and launch attacks, allowing them to remotely install ransomware on computers across the network.”

The alert also included indicators of compromise to help organizations determine if they have been hit with it.

Cisco researchers published a great write-up about Samsam’s capabilities, and noted that unlike with previous ransomware, this one is self-sufficient. “Once installed on a machine there is no beaconing or C2 activity,” they pointed out.

Microsoft has also warned about the Samas ransomware.

Ransomware: A successful cyber crime business model

“The SamSam campaign is unusual in that it is taking advantage of remote execution techniques instead of targeting the user. Adversaries are exploiting known vulnerabilities in unpatched JBoss servers before installing a web shell, identifying further network connected systems, and installing SamSam ransomware to encrypt files on these devices,” Cisco researchers explained.

They have been following this particular campaign for a while now, and have witnessed the asked-for sum to decrypt one of the affected PCs jump from 1 bitcoin to 1.7 bitcoin. At the time (a week ago), they discovered that the crooks already “earned” themselves over 275 bitcoin (around $115,000).

According to the Baltimore Sun, the attackers are asking from MedStar 3 bitcoins for the decryption key for one infected computer, or 45 bitcoins for the keys for the lot of them.

Whether the organization paid the ransom or not is unknown at this time, but apparently they are close to restoring all their systems and networks.