Samas Ransomware Continues To Infect Networks Worldwide

The hackers behind the Samas Ransomware continue to launch global attacks against computer networks, the latest one uses Active Directory exploits to infect the systems.

Samas Ransomware Attacks Computer Networks Globally

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

The hacker operators of the Samas ransomware continue to spread the dangerous virus against all types of computer networks – those belonging to individual users, companies and even government institutions. The threat was first discovered last year when it made several large-scale campaigns against victims worldwide. Since then it has become one of the most popular tools of both new and experienced computer criminals. Samas ransomware is dangerous because unlike other viruses of this type, it can affect the whole network not just the single infected host.

The newly evolved samples which were observed by the security analysts utilize a new means of infection:

  1. The criminals use Active Directory queries to obtain information about the target network.

  2. Attackers use various techniques to obtain domain credentials which are used to intrude to the computer network.

  3. The individual hosts are compromised further by the ransomware.

The security experts note that this route of infection is very similar of a worm which has been analyzed to execute under a similar routine. The particular incident is tracked under the CVE-2010-0738 security advisory which gives details about the exploit. Its details read the following:

The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application’s GET handler by using a different method.

Once the hackers have gained access to the network they use tools that harvest the individual credentials of the registered users. The Active Directory implementation is targeted as it holds all the relevant information about the resources of the organization – users, applications, running servers and production services. The hackers use the CSVDE utility which is able to extract the relevant information without alerting the administrators or the Intrusion systems and firewalls of any malicious activity. The active hosts can be checked using the PING command, the hackers can the leverage them in ransomware attacks by installing malicious payloads using PSEXEC.

Depending on the individual network configuration it can have serious consequences for the victims. The Samas ransomware is an extensive projects, as we have reported numerous strains that have used portions of its code or are evolved versions of the main version. This gives hackers the ability to create heavily-customized viruses that are built specifically to attack certain networks.

The dangerous fact about this new wave of Samas ransomware attacks is that practically every organization that uses Active Directory is vulnerable. Upon intrusion of the network the hackers can learn everything about the environment, hosts and running services by using the necessary queries via the command-line utilities. Some facts against Samas Ransomware reveal the following alarming traits:

  1. The Virus Has Generated A Generous Amount Of Income For The Hackerswe reported that the hacker operators of Samas managed to generate 450 000 US Dollars for the past year.

  2. The Samas Ransomware Can Spread Through Various Methods And Strategies – Depending on the targets the hackers behind the virus may opt to use different infection strategies to unleash the infection. This can include anything from bulk email messages to infected software downloaded from hacker-controlled sites and P2P networks.

  3. The Virus Can Impose Additional Damage – Customized versions of the Samas ransomware can lead to the introduction of other dangerous malware to the infected systems. This can banking Trojans, Remote access Trojans, botnet miners and etc.

  4. It Cannot Be Removed Easily Post-Infection – As every Samas ransomware sample can deviate from the core threat, it can be very difficult to remove it without the use of a quality anti-spyware tool.

  5. The Samas Ransomware Strains Pose As Legitimate Software – During the major outbreaks of the virus the security experts have uncovered that the Samas ransomware strains feature text that poses as legitimate applications and updates originating from well-known vendors.

  6. Stealth Protection – Several of evolved versions feature a stealth protection mechanism. Upon detection of an anti-virus product, sandbox environment or a virtual machine it deletes itself.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *