Threat Spotlight – Samsa/Samsam Ransomware

The Samsa ransomware family has recently been observed in conjunction with several notable and high profile attacks. Also known as ‘Samas’ and ‘SamSam,’ this particular ransomware’s targeting appears to focus primarily on the healthcare industry, but confusingly, there are Samsa campaigns that deviate from that focus as well. While many outlets are speculating on which attacks are associated with this threat family and which are not, we would like to focus on one of the more intriguing aspects of the attacks.

One thing that has become clear recently is that the actors behind Samsa are taking a unique and ‘hands-on’ approach to their targets/victims. That fact alone sets these campaigns apart from most of the others that have hit the news lately. We’ll go into some high level detail on that at a later date, along with releasing a more detailed analysis of this threat family and the actors behind it. 

With this update, we aim to show our customers and the public that, as with other recent and equally destructive threats, CylancePROTECT is able to entirely prevent execution of the ransomware and stop Samsa cold. Cylance’s technology is 100% effective in preventing known Samsa executables from running, and all risk to critical files and data is mitigated. We accomplish all this with an approach above and beyond traditional signature-based AV products, which are in a constant industry-wide game of ‘catch-up’.

Samsa Attack Methodology – High-Level Overview

As stated previously, the approach used by the attackers in these campaigns is far more involved than other ‘ransomware-centric’ attacks that have hit the news lately. For starters, Samsa employs multiple tools for its initial infection, lateral movement and reconnaissance. There are also different variants of the encryption frameworks used over time, as well as across different victim environments.  

Initial access is gained by compromising external-facing servers, such as exploitation of unpatched vulnerabilities on web or authentication servers where external interfaces are exposed. This approach differs from other ransomware variants like Locky and Petya in that the point of entry is not a phish/spear-phish email. Once the attackers have gained entry by way of the vulnerable service of their choosing, they then use a variety of standard Windows commands, benign tools, and other custom-built tools to move laterally and establish persistence.

In several of the environments Cylance analyzed, the first compromised host was used to scan and map out the internal network and plan the next set of movements within, as well as determine what options were available with regards to internal exploitation and manipulation. Often, artifacts of this activity were present in the compromised machine in the form of sets of batch files, SQL scripts, and data files that recorded the output of these actions:

samas_droppings_1.png

Figure 1: Samsa artifacts 1

samas_droppings_2.png

Figure 2: Samsa artifacts 2

samas_droppings_3.png

Figure 3: Samsa artifacts 3

samas_droppings_4.png

Figure 4: Samsa artifacts 4

Once internal hosts are identified and accessible, the next stage of infection begins. A keypair is generated for each host targeted, and the public key, along with required scripts and the ransomware binaries themselves, is distributed.

In some environments, we observed the use of standard tools, such as psexec.exe, to launch the ransomware binaries (Samsam.exe). There are reports of Volume Shadow Copy Service (VSS) data being deleted. The examples provided in FBI FLASH MC-000070-MW[1] do in fact confirm this functionality.

The Test: CylancePROTECT vs. Samsa

Regardless of the methodology involved, the end result of infection by Samsa ransomware is inevitable: malicious executables are allowed to run on the compromised victim hosts. Traditional antivirus (AV) products and technologies based on signatures have a very low detection rate on this particular threat family. It takes days, if not weeks, for their signatures to finally catch up, which as we know, is days/weeks too late. When ransomware executes on your machine, a waiting time of even a fraction of a second is too late. When a new ransomware variant is released, you simply can’t afford to wait a day or longer for your traditional AV vendor to analyze files returned by their infected clients, manually create a signature ‘antidote’ to that variant, and release it - which is in essence how traditional antivirus works.  

Cylance tested samples of Samsa and some of the related malicious executables. The results of this testing showed that CylancePROTECT is 100% effective against known Samsa executables. CylancePROTECT accomplishes this without downloading or updating signatures, or analyzing and observing the files prior to infection and attack.

It is our purely mathematical, machine learning driven approach that allows us to stop these attacks BEFORE they are ever allowed to execute, thus preventing any damage to your data - or worse, like in the recent attacks on medical environments, downed systems and the subsequent delays that may directly impact patient health and human life.

Cylance’s researchers have released a video showing CylancePROTECT in action, stopping multiple variants of Samsa:

 

Believe the math!!

Indicators Of Compromise (IOCs) – Samsa SHA256 Hashes

  • cbc973f53ad2edcc316671785d41c96b3176efdc7369d9d94d4183d3f78318b0
  • a763ed678a52f77a7b75d55010124a8fccf1628eb4f7a815c6d635034227177e
  • 7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044
  • ee1c0ca9787228d35a17e0083f05eba0146616f0543787b29bd567069a295e57
  • 337b0532c035d5ff7575d749742029a1f86461d2391a324194086be1558f0413
  • 76dec6a3719af5265d35e3fa9793972b96ca25a1d70a82a4ca0c28619051f48b
  • 45e00fe90c8aa8578fce2b305840e368d62578c77e352974da6b8f8bc895d75b
  • 5e7ab76187c73780cd53a6e2b9d0c9b4767172543ee56e7dc8cf4e8093fc6729
  • 939efdc272e8636fd63c1b58c2eec94cf10299cd2de30c329bd5378b6bbbd1c8
  • b4d9339aa4df8abae92edf4bba969bec9dba06c9c9acf59214e6aeb258cae2ea
  • ffef0f1c2df157e9c2ee65a12d5b7b0f1301c4da22e7e7f3eac6b03c6487a626
  • 89b4abb78970cd524dd887053d5bcd982534558efdf25c83f96e13b56b4ee805
  • 979692a34201f9fc1e1c44654dc8074a82000946deedfdf6b8985827da992868
  • 0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac
  • 58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e
  • 7e69b0c6b97c2e116e492f641c836d9d36093cefa3ed7ee53fcaa052bedcde53
  • 6bc2aa391b8ef260e79b99409e44011874630c2631e4487e82b76e5cb0a49307
  • 362b1db3a7a36cbcf73554f0dbf63450d99e7f1e2b58b6d9bc375da080bdde30
  • 47f9d6aa6e14e20efa8732ed9228e1806316c31a2fa5a359f30693c3ccbf0340
  • 8c44b91b4f583c9042f100e197df6a0e5a8efc0f5032cb02f6ff9b505badb557
  • e682ac6b874e0a6cfc5ff88798315b2cb822d165a7e6f72a5eb74e6da451e155
  • f92bf62e6ab099fb2817e0c598b8fdf2882de464205da09fcd2937691a160f0c
  • 036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050
  • 946dd4c4f3c78e7e4819a712c7fd6497722a3d616d33e3306a556a9dc99656f4
  • e92d8dddeaa037ba22c5a004bba2e81e764fd38e6b49875c416810a619193976
  • 972a15202a58786f1e5a5d17d307fdae28bbb3569e084c405100df645c84b10e

Additional Resources:

US-CERT Alert (TA16-091A)

Ransomware and recent variants

American Hospital Association

What hospitals need to know about ransomware

 

[1] FBI FLASH MC-000070-MW distributed by the FBI to specific entities (TLP:GREEN) on March 25, 2016.