Since the emergence of Internet extortion schemes, there haven’t been many file-encrypting malware attack incidents that drew as much attention of the law enforcement as the so-called Samas case. The reasons for this are clear – the sample in question targets big computer networks rather than standalone machines, and the malefactors are using tactics that haven’t been encountered before. Also known as Ransom:MSIL/Samas or SamSam, the infection has compromised healthcare companies, non-government organizations and businesses that were thus forced to close down their services for some time. Consequently, the patients and customers had to wait for mitigations to take effect.
Samas encrypts data stored on the contaminated computers and network-attached storage devices, using the AES-128 cipher for every file. Then it encodes the 16-character crypto key with RSA-2048, a strong asymmetric cryptographic algorithm that’s impossible to crack unless applied incorrectly. Smaller items are encrypted first, and the malware skips a few system paths, including Program Files, Windows, and the Recycle Bin.
Not only do the locked files become inaccessible, but their names are also concatenated with .encryptedAES or .encryptedRSA extensions. One of the discovered variants appends the .encedRSA string instead. The recovery instructions through ransom payment are explained in HELP_DECRYPT_YOUR_FILES.html file dropped on the desktop and folders with frozen files.
Ransom:MSIL/Samas relies on a very unique methodology to infect networks. Its operators harness vulnerabilities in unpatched JBoss Application Server software to execute webshells that effectively allow the attackers to get extensive remote access privileges. As it also turned out, the criminals are using the JexBoss penetration testing solution to identify weak links in a targeted server. A successful breach via this technique means the perpetrators can manually execute random commands on the network. According to a recent report, there are currently more than 3 million machines running potentially exploitable editions of JBoss. That’s a huge attack surface.
As opposed to nearly every known strain of ransomware out there, this one doesn’t transmit decryption keys or any other information to a C2 server. Instead, the public-private RSA key pair is generated outside of the infected network, and the adversary uses the readily available public key to perform the encryption job. Meanwhile, the private key simply stays in the hacker’s hands and can only be provided if the victim organization submits a ransom.
The payment scheme is unordinary: depending on the Trojan version, there is a choice of sending 1, 1.5 or 1.7 Bitcoins for every affected workstation, or cough up 22 Bitcoins for all private keys and recover all data in one shot. The 7-day deadline keeps the victims busy finding the money or coming up with an alternative fix through backups or by brute-forcing the encryption.
Samas uses a batch file named “del.bat” to trigger a self-obliteration task when it’s finished encrypting data. Therefore, the infected organization’s main objective is to restore the .encryptedAES/RSA files. Although there is no solution at this point that would help decrypt these data, a number of techniques are worthwhile to get some information back. Furthermore, despite the fact that removing Samas proper shouldn’t be on the victim’s agenda, it makes sense to scan all machines on the network for associated malicious code and update the current build of JBoss.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other Trojans while operating.
It has been mentioned that the Samas ransomware applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that the infection erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by this ransomware is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the threat left, have your computer scanned with a reliable malware security suite.