{"id":6309,"date":"2017-01-23T15:50:16","date_gmt":"2017-01-23T23:50:16","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-147\/"},"modified":"2017-01-23T15:50:16","modified_gmt":"2017-01-23T23:50:16","slug":"news-147","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-147\/","title":{"rendered":"No mas, Samas: What’s in this ransomware’s modus operandi?"},"content":{"rendered":"
\n

<\/span>We’ve seen how ransomware managed to become a threat category that sends consumers and enterprise reeling when it hits them.\u00a0 It has become a high-commodity malware that is used as payload to spam email, macro malware, and exploit kit campaigns. It also digs onto victims’ pockets in exchange for recovering files from their encrypted form.\u00a0 This is where Crowti<\/a>, Tescrypt<\/a>, Teerac<\/a>, and Locky<\/a> have been very active at.<\/p>\n

We’ve also observed some malware authors providing a different method of distribution in the black market called ransom-as-a-service (RaaS). \u00a0Malicious actors use RaaS to download the ransomware app builder and customize them accordingly.\u00a0 We’ve seen two threats, Sarento<\/a> and Enrume<\/a>, built through this type of service and deployed to infect machines during the second half of 2015.<\/p>\n

 <\/p>\n

How Samas is different from other ransomware?<\/h2>\n

 <\/p>\n

Ransom:MSIL\/Samas<\/a>, which surfaced in the past quarter, has a different way of getting into the system \u2013 it has a more targeted approach of getting installed.\u00a0 We have observed that this threat requires other tools or components to aid its deployment:<\/p>\n<\/p><\/div>\n

<\/div>\n

\"\"<\/a><\/p>\n

Figure 1:\u00a0 Ransom:MSIL\/Samas infection chain\u00a0<\/em><\/p>\n

Samas ransomware’s tools of trade<\/h2>\n

 <\/p>\n

The Samas infection chain diagram illustrates how Ransom:MSIL\/Samas<\/a> gets into the system.\u00a0\u00a0 It starts with a pen-testing\/attack server searching for potential vulnerable networks to exploit with the help of a publicly-available tool named reGeorg, which is used for tunnelling.<\/p>\n

Java-based vulnerabilities were also observed to have been utilized, such as\u00a0CVE-2010-0738<\/a> related to outdated JBOSS server applications.<\/p>\n

It can use other information-stealing malware (Derusbi<\/a>\/Bladabindi<\/a>) to gather login credentials as well.\u00a0 When it has done so, it will list the stolen credentials into a text file, for example, list.txt<\/strong>, and use this to deploy the malware and its components through a third party tool named psexec.exe<\/strong> through batch files that we detect as Trojan:BAT\/Samas.B<\/a> and Trojan:BAT\/Samas.C<\/a>.<\/p>\n

One of the batch files that we detect as Trojan:Bat\/Samas.B<\/a> also deletes the shadow files through the vssadmin.exe<\/strong> tool.<\/p>\n

Trojan:MSIL\/Samas.A usually takes\u00a0 the name of delfiletype.exe<\/strong> or sqlsrvtmg1.exe <\/strong>and does the following:<\/p>\n

    \n
  1. Look for certain file extensions that are related to backup files in the system.<\/li>\n
  2. Make sure they are not being locked up by other processes, otherwise, the trojan terminates such processes.<\/li>\n
  3. Delete the backup files.<\/li>\n<\/ol>\n

    Ransom:MSIL\/Samas<\/a> demonstrates typical ransomware behavior\u00a0by encrypting files in the system using AES algorithm and renaming the encrypted file with extension encrypted.RSA<\/strong>. <\/em>It displays the ransom note when it has encrypted the files and will delete itself with the help of a binary in its resource named del.exe<\/strong>.<\/p>\n

    \"\"<\/p>\n

    Figure 2: Click to enlarge the image so you can see the Samas ransom message clearly.<\/em><\/p>\n

     <\/p>\n

    So far, we’ve seen a new <\/span><\/span> Ransom:MSIL\/Samas<\/span><\/a><\/span> variant that shows signs of changing its code from the simple ASCII strings to more hex encoded characters possibly to better evade detection from security vendors.\u00a0 An example below shows that the files extension names to encrypt has been converted to hex strings:<\/span><\/span><\/p>\n

    \"\"<\/a>
    Figure 3:\u00a0 Version 1 – Ransom:MSIL\/Samas.A<\/em><\/p>\n

     <\/p>\n

    \"\"<\/p>\n

    Figure 4: Version 2 – Ransom:MSIL\/Samas.B<\/em><\/p>\n

     <\/p>\n

    It has also changed from using WordPress as its decryption service site, hxxps:\/\/lordsecure4u.wordpress.com<\/em>, and moved on to a more obscure Tor site to help anonymize itself, hxxp:\/\/wzrw3hmj3pveaaqh.onion\/diana<\/em>.<\/p>\n

    \"\"<\/p>\n

    Figure 5: Majority of the Ransom:MSIL\/Samas infections are detected in North America, and a few instances in Europe<\/em><\/p>\n

     <\/p>\n

    Mitigation and prevention<\/h2>\n

    But yes, you can say no mas (translation from Spanish: no more) to Samas ransomware. <\/span><\/p>\n

    To help prevent yourself from falling prey to Samas or other ransomware attacks, use <\/span> Windows Defender<\/span><\/a> for Windows 10<\/span>\u00a0as your antimalware scanner, and <\/span> ensure that MAPS has been enabled<\/span><\/a>.<\/span><\/p>\n

    Though ransomware and macro-based malware are on the rise, there’s still something that you or your administrators can proactively do: <\/span><\/p>\n

    \n