The health care industry is under attack from a different form of ransomware.

According to Talos, this new strain of ransomware infects servers via unpatched vulnerabilities and then spreads laterally across the local network. This particular malware, dubbed Samas or Samsam, spreads through unpatched vulnerabilities in both JBoss application servers and REGeorg, an open-source framework that creates socks proxies. The hackers can implement it through software flaws.

The hackers behind this campaign are scanning for these vulnerabilities and unlike conventional ransomware, they are finding it much more lucrative.

Craig Williams, senior technical leader and security outreach manager at Talos, said: "I think this is really the next evolution of the ransomware game.”

Cybercriminals are exploiting JBoss using an open-source exploit tool called JexBoss. Once they've compromised a machine, they can download SamSam which locks up files with RSA-2048 bit encryption. The hackers can then silently move around the local network, laterally, and encrypt other connected systems as well. “We've seen cases where one of the victims buys an encryption key for one machine and then actually has to go back and buy it again for all the other machines,” after discovering additional infections, explained Williams.

The criminals are offering a bundled buy were by the victims can purchase a key to unlock all their infected computers for 22 bitcoins (approximately $9,160).

Talo also notes in its security advisory that the culprits behind Samsam have not taken steps to cover up the ransomware activity on affected systems. “That says two things,” said Williams. “One, they don't fear law enforcement—they don't think they're going to be caught—and number two, they probably believe they have good crypto.”

Source: SCMagazine