The SamSam ransomware that has been active for more than a year is now asking for $33,000 to decrypt and restore all the encrypted files.
If a single device in a network was attacked, the malware can spread to other devices on the network. The malware operators are using remote desktop protocol (RDP), web shells and batch scripts to attack networks and deploy the ransomware on every machine.
“The attacks seem to peak in waves as campaigns distributing SamSam are executed. A notable recent example was a large hospital in New York that was hit with SamSam in April. The hospital declined to pay the attackers the $44,000 ransom demanded. It took a month for the hospital’s IT systems to be fully restored.”
Defending against SamSam is more similar to a targeted attack than normal opportunistic ransomware. SamSam criminals are known to:
– Get remote access through common attacks, such as JBoss exploits.
– Spread web-shells.
– Connecting to Remote Desktop Connection over HTTP tunnels such as ReGeorg.
– Execute batch scripts to spread the malware over devices.
“The most recent attacks appear to have been successful, at least from the attackers point of view. The Bitcoin address associated with this week’s attacks has received $33,000.”