Samsam Ransomware hits City of Atlanta IT Systems

By Migo Kedem -

Samsam ransomware used in targeted attacks was first seen around 2016 and it’s set its sights on the healthcare industry. Typical ransomware victims are infected by clicking on a malicious link, opening an email attachment, or through malvertising. Samsam is unique because it infects servers directly using a vulnerability in Red Hat’s JBoss enterprise products. Hackers use tools like JexBoss, an open-source penetration testing tool, to identify unpatched vulnerabilities in JBoss application servers. Once a hacker infiltrates one of these servers, they install the Samsam ransomware onto the targeted Web application server and spread the ransomware client to Windows devices and encrypt their files.

SamSam Ransomware Authors - Wanted by the FBI

The City of Atlanta is currently experiencing outages on various customer facing applications, including some that customers may use to pay bills or access court-related information. We will post any updates as we receive them. pic.twitter.com/kc51rojhBl

— City of Atlanta, GA (@Cityofatlanta) March 22, 2018

It followed a press conference:

Mayor @KeishaBottoms holds a press conference regarding the security breach. https://t.co/h1WlcyUc6x

— City of Atlanta, GA (@Cityofatlanta) March 22, 2018

According to 11Alive, the ransomware that was seen is Samsam. Earlier this year, Samsam infected the Colorado Department of Transportation.

Demo

Subscribe to our YouTube channel

Analysis

SentinelOne detects Samsam Ransomware both pre-execution and on-execution. On default policy, it will not be allowed to run. If set to Detect mode, SentinelOne detects behaviors specifically used by ransomware. Namely, scanning the hard drive for files, and replacing them with encrypted versions. Given that Samsam is deployed using an exploit, SentinelOne would detect the attack during this phase. By the Attack Storyline, we see Samsam being detected by the SentinelOne agent, preventing files from being unrecoverable encrypted. Moreover, SentinelOne would detect any lateral movement from the compromised server to other servers on the network if an exploit were to be undetected. SentinelOne’s early detection would catch the Samsam attack before the ransomware is able to run. In addition, Samsam deletes shadow copies, making it impossible for an IT Administrator to revert files and applications to their unencrypted state. SentinelOne recognizes this behavior and detects when Samsam is trying to delete shadow copies. Should something slip through the cracks, SentinelOne is able to remediate infected files and roll them back to their pre-encrypted state.

Demo

Subscribe to our YouTube channel

Analysis

SentinelOne detects Samsam Ransomware both pre-execution and on-execution. On default policy, it will not be allowed to run. If set to Detect mode, SentinelOne detects behaviors specifically used by ransomware. Namely, scanning the hard drive for files, and replacing them with encrypted versions. Given that Samsam is deployed using an exploit, SentinelOne would detect the attack during this phase. By the Attack Storyline, we see Samsam being detected by the SentinelOne agent, preventing files from being unrecoverable encrypted. Moreover, SentinelOne would detect any lateral movement from the compromised server to other servers on the network if an exploit were to be undetected. SentinelOne’s early detection would catch the Samsam attack before the ransomware is able to run. In addition, Samsam deletes shadow copies, making it impossible for an IT Administrator to revert files and applications to their unencrypted state. SentinelOne recognizes this behavior and detects when Samsam is trying to delete shadow copies. Should something slip through the cracks, SentinelOne is able to remediate infected files and roll them back to their pre-encrypted state.


Like this article? Follow us on LinkedInTwitter, YouTube or Facebook to see the content we post.

Read more about Windows Security

“ALL YOUR FILES ARE ENCRYPTED” – Unless set to Russian Locale

New Windows 10 File Type Can Be Abused for Running Malicious Applications

Hancitor Banking Trojan is Back | Using Malicious Word Attachment

SentinelOne Detects and Blocks New Variant of Powershell CryptoWorm

What's New