Samsam May Signal a New Trend
of Targeted Ransomware

A new crypto-ransomware variant may indicate a shift towards targeting businesses with malware that encrypts their files.

Increase in Incidents Involving Ransomware

The Federal Bureau of Investigation (FBI) along with the US-CERT and Canadian Cyber Incident Response Centre (CCIRC) issued warnings about the increase in incidents involving ransomware.


In February 2016, DigiCert highlighted the rise of the Locky ransomware, one of the more prevalent ransomware variants in circulation. Over the last few months, Samsam (also known as Samas or Samsa), a new variant, has been making headlines with the targeted approach it uses to infect systems.

Website Security


The Targeted Ransomware

The conventional ways ransomware infects systems is through malicious downloaders distributed through drive-by-downloads and malicious spam emails. Once a user is infected with a malicious downloader, it will download additional malware, which often includes crypto-ransomware. The malicious emails contain a variety of file attachments, which if opened, will download and run one of the many ransomware variants to start the encryption process. Once the files have been encrypted, a ransom payment is demanded of the victim in order to decrypt the files.

Samsam, unlike more conventional ransomware, is not delivered through drive-by-downloads or emails. Instead, the attackers behind Samsam use tools such as Jexboss to identify unpatched servers running Red Hat’s JBoss enterprise products.

Once the attackers have successfully gained entry into one of these servers by exploiting vulnerabilities in JBoss, they use other freely available tools and scripts to collect credentials and gather information on networked computers. Then they deploy their ransomware to encrypt files on these systems before demanding a ransom.

The Samsam ransomware also differs from other ransomware due to the fact that the attackers generate the RSA key pair themselves. Most crypto-ransomware will contact a command and control server, which will generate an RSA key pair and send the public key back in order to encrypt files on the infected computers. With Samsam, the attackers generate the key pair and upload the public key along with the ransomware to the targeted computers.

Continued Innovation in Ransomware

Samsam is another variant in a growing number of variants of ransomware, but what sets it apart from other ransomware is how it reaches its intended targets by way of unpatched server-side software. The big takeaway here is the growing trend that criminals are directly targeting organizations in ransomware attacks. The success of these recent attacks signals a shift for cybercriminals as they seek to maximize profits by setting their sights on vulnerable businesses.

Ransomware has proven to be a viable business model, so it should come as no surprise that the techniques used have shifted beyond malicious spam and drive-by downloads to those more closely resembling targeted attacks.

Versions of JBoss

Organizations that deploy JBoss enterprise products in their environments should check to see if they are running unpatched versions and if so, patch immediately. According to Red Hat, the following versions of JBoss and later versions are not affected:

  • Red Hat JBoss Enterprise Application Platform (EAP) 5.0.1
  • Red Hat JBoss Enterprise Application Platform (EAP) 4.3 CP08
  • Red Hat JBoss Enterprise Application Platform (EAP) 4.2 CP09
  • Red Hat JBoss SOA-Platform (SOA-P) 5.0.1
  • Red Hat JBoss SOA-Platform (SOA-P) 4.3 CP03


DigiCert and Norton products protect against Samsam and its various tools with the following detections:



Test Your Website Security Now

DigiCert CryptoReport

Check your SSL/TLS Certificate Installation

Vulnerability Assessment

Vulnerability Assessment

A vulnerability is a potential entry point through which a website’s functionality or data can be damaged, downloaded, or manipulated. A typical website (even the simplest blog) may have thousands of potential vulnerabilities.

Continue Reading

The Difference Between a Virus, Worm and Trojan Horse

The Difference Between a Virus, Worm and Trojan Horse

The most common blunder people make when the topic of a computer virus arises is to refer to a worm or Trojan horse as a virus.

Continue Reading

What are Malware, Viruses, Spyware, and Cookies ?

What are Malware, Viruses, Spyware, and Cookies, and What Differentiates Them?

Before you download anything from the internet, be sure about it first. 

Continue Reading


Website Security Solutions in the Real World

Join the Community

Follow Threat Intelligence on Twitter @Threatintel


Watch Videos on the Website Security YouTube Channel


We have updated our Privacy Policy which can be found here.