The Targeted Ransomware
The conventional ways ransomware infects systems is through malicious downloaders distributed through drive-by-downloads and malicious spam emails. Once a user is infected with a malicious downloader, it will download additional malware, which often includes crypto-ransomware. The malicious emails contain a variety of file attachments, which if opened, will download and run one of the many ransomware variants to start the encryption process. Once the files have been encrypted, a ransom payment is demanded of the victim in order to decrypt the files.
Samsam, unlike more conventional ransomware, is not delivered through drive-by-downloads or emails. Instead, the attackers behind Samsam use tools such as
Jexboss to identify unpatched servers running Red Hat’s JBoss enterprise products.
Once the attackers have successfully gained entry into one of these servers by exploiting vulnerabilities in JBoss, they use other freely available tools and scripts to collect credentials and gather information on networked computers. Then they deploy their ransomware to encrypt files on these systems before demanding a ransom.
The Samsam ransomware also differs from other ransomware due to the fact that the attackers generate the RSA key pair themselves. Most crypto-ransomware will contact a command and control server, which will generate an RSA key pair and send the public key back in order to encrypt files on the infected computers. With Samsam, the attackers generate the key pair and upload the public key along with the ransomware to the targeted computers.