With cyberattacks on the rise, security professionals in the private and public sector are working together to stay one step ahead of hackers. On February 18, the Federal Bureau of Investigation (FBI) issued an alert regarding MSIL/Samas.A (Samas), a type of ransomware originally exposed in 2014.
Ransomware is a form of malware, and is often used as a blanket term to describe different forms of computer viruses. Once on a computer, ransomware encrypts the target’s data so that the computer owner cannot access their files, which are then held for a ransom. After a sum of money is paid, the data is restored.
Just over a month after the FBI’s initial alert, on March 25, the FBI released a confidential, and more urgent, “Flash” advisory requesting assistance from private companies and security firms to uncover the identity of hackers using Samas.
“The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future,” read the advisory. The FBI requested recipients to contact the FBI’s CYWATCH cyber center if they have been attacked or have relevant information that would aid the investigation.
Samas is a new, more dangerous form of ransomware. Typical ransomware can only target one computer at a time. Samas is “ransomware on steroids,” attacking entire networks of computers. Using the software tool Jexboss, the hacking group scans networks that are using vulnerable, out-of-date versions of JBoss Enterprise Application Platform (JBoss EAP), business software developed by JBoss, a division of Red Hat, Inc.
When the hackers discover a vulnerable network, the ransomware deploys an attack that attempts to scramble data and delete back-up files; now the hackers possess the sole copy of the stolen files, giving them leverage against their targets. Having access to an entire network allows the group to install ransomware onto any computer connected to that network. After successfully encrypting desired data, the hackers extort their target, requesting payment in Bitcoin.
MSIL/Samas infections have been primarily discovered in North America, with limited cases in Europe and Asia. The most targeted sectors of Samas attacks have been computer-dependent industries like healthcare and law enforcement. IT provider Cisco has reported a “widespread campaign” of Samas being leveraged against healthcare providers, such as the recent attack on MedStar Health.
“The attempt to negatively impact an institution designed to save lives and care for those in need is a sad and troublesome reality of our times, not only for MedStar Health, but for our entire industry and the communities we serve,” says Kenneth A. Samet, FACHE, president and chief executive officer, MedStar Health. “Fortunately, thanks to the expertise and dedication of our clinical and IT teams, we are addressing the current issue in an expeditious and thoughtful manner, never losing sight of our responsibility to our patients.”