Group Blog Home
Group Blog Home

Recent Posts
The NJCCIC is aware of a ransomware campaign that has already impacted two hospitals, one municipality, and an ICS company within the US.

According to multiple open-source reports, the perpetrator(s) behind this campaign are targeting victims with a new version of MSIL/Samas.A/Samsam ransomware (hereafter referred to as SamSam). This version of SamSam appends .weapologize to the names of encrypted files and drops a ransom note named 0000-SORRY-FOR-FILES.html on infected systems. When SamSam ransomware first emerged, campaigns would target vulnerable servers running outdated versions of JBoss using JexBoss, an open-source JBoss testing/exploitation tool.

However, one Bleeping Computer article suggests that the perpetrator(s) behind this campaign may now be distributing SamSam via Remote Desktop Protocol (RDP) compromise. This article also reports that the online ransomware identification service, ID Ransomware, has received at least 17 submissions of SamSam-related files so far in January 2018, suggesting this campaign is currently and actively targeting victims.

Known victims of this campaign include Hancock Health Hospital in Greenfield, Indiana, Adams Memorial Hospital in Decatur, Indiana, and the city of Farmington in New Mexico.
Posted by melson  On Jan 22, 2018 at 10:26 AM