RANSOMWARE ATTACKS ON US HOSPITALS

Unclassified // For Official Use Only TLP: GREEN

Unclassified // For Official Use Only TLP: GREEN 1

DISTRIBUTION NOTICE: TLP: GREEN Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but

not via publically accessible channels. http://www.us-cert.gov/tlp/

RANSOMWARE ATTACKS ON US HOSPITALS DATE: April 13, 2016 Ref: CTIP-IB-16-23

(U//FOUO) SCOPE (U//FOUO) This product covers ransomware attacks reported by hospitals in the U.S. occurring from approximately January 2016 to April 2016. This analysis will concentrate on two variants of malware/ransomware used in the most sophisticated attacks known as Locky and MSIL/Samas.A (hereafter, ATTACK TYPE 1 and ATTACK TYPE 2 respectively). (U//FOUO) For ease of use, the key findings and attack history and overview have been split into separate sections. The technical analysis starts on page three. Preventative and Protective information applicable to both attack types start on page eight. The analysis should be passed to the appropriate system administration and information security personnel. (U//FOUO) KEY FINDINGS

(U//FOUO) An increasing number of hospitals in the US have suffered disruption from ransomware.

(U//FOUO) Consequences of the attacks have ranged from short term disruption to long term interruption of operations and patient care.

(U//FOUO) Attack methods have become refined and are becoming resistant to current detection methods.

(U//FOUO) Both automated and manually targeted attacks have been effective at disrupting hospital operations.

(U//FOUO) KCTEW judges with high confidence that ransomware attacks will continue to be attractive to attackers and will continue to be a threat to hospital operations. (U//FOUO) BACKGROUND (OVERVIEW) (U) Hospitals throughout the US and Canada are falling victim to ransomware attacks in increasing numbers. Ransomware is malicious software that encrypts a users or companies files and programs and forces them to pay a ransom to the attacker in order to gain access to their own files. Some of the targeted hospitals include:

(U) CoxHealth A Southwest Missouri based group

http://www.us-cert.gov/tlp/



(U) MedStar A Maryland based group of 10 hospitals

(U) Hollywood Presbyterian Medical Center

(U) Chino Valley Medical Center California based hospital

(U) Desert Valley Medical Center A California based hospital

(U) Ruby Memorial Hospital A West Virginia based hospital

(U) Kings Daughters Hospital A Southeast Indiana hospital (U) The targeted hospitals have suffered consequences ranging from short term disruption of limited services to complete disruption enterprise wide of administration and clinical systems for multiple days, taking many additional days to fully recover all systems. Additionally, some hospitals have paid ransom amounts of $17,000 or higher to perpetrators in order recover hospital information. (U) The attacks have been accomplished by a variety of different strains of ransomware, but in general represent two largely different attack methods. (U) The first methodology (ATTACK TYPE 1) is the more commonly seen ransomware attack and typically uses three infection vectors:

1) (U) Phishing email The attacker sends millions of emails with malicious links or attachments, hoping an unsuspecting user will click the link or open the attachment.

2) (U) Drive-by browser attacks Where a user visits a malicious website that exploits a vulnerability in the users browser to infect the system by simply visiting the site.

3) (U) Free software downloads A user downloads seemingly useful software from an apparently trusted site but the files are carrying malicious code that infects the users system when installed.

(U//FOUO) KCTEW Analyst Note: The nature of ransomware and the usual tactics employed to deliver it and that ransomware does not typically traverse a network means that although an infection can encrypt any files to which the infected machine has access, the infected code will not typically spread itself to other machines. That means with prior planning, an attack can be limited to small sections of an enterprise thereby limiting ransomware impact. However, newer strains of ransomware are increasing in anti-forensic capability and may develop the capability to spread to other systems. (U) The second methodology (ATTACK TYPE 2) seen recently more closely resemble a traditional malware attack. In one case the attacker appears to have used an open-source penetration testing tool to scan targets looking for specific vulnerabilities in specific types of software. Once vulnerabilities are found, they are exploited to give the attacker command line access. The attacker, using stolen credentials, spreads through the network, compromising other machines. In this instance the attacker appears to identify the most valuable and vulnerable assets and executed a ransomware virus on that machine. (U//FOUO) KCTEW Analyst Note: In this scenario, the attacker enters through a server and has increased access to the enterprise network. Their activity is stealthy, meaning they can remain in the network for weeks or months while performing reconnaissance, exfiltrating information/files, altering information, altering systems, etc.. It is important to note that this type of attack is usually NOT automated. The attacker is manually traversing the system looking for opportunity. Anti-virus and Intrusion Detection systems using signatures are much less likely to spot this type of compromise. An attacker can implement multiple attacks depending on what they find. They do NOT have to confine their crimes to ransomware and could use a ransomware attack as cover for other crimes, commit multiple crimes or stay resident, lurking in the network waiting for opportunity.



ATTACK TYPE 1 Locky Variants

(U//FOUO) METHODS / EXPLOITED VULNERABILITIES

(U) Locky variants are delivered primarily via Phishing Email methods. It has significantly increased its virulence compared to other ransomware variants and is close to being the second most used attack tool.1 At least one vendor has observed a botnet distributing phishing email with Locky attachments at the rate of 200,000 emails per hour. 2 (U) Locky has undergone significant enhancement recently adding complex anti-detection, anti-forensic countermeasures including (but not limited to):

(U) Adding the ability to use a javascript downloader in addition to malicious Microsoft Word macros.

(U) Addition of at least 10 downloader variants

(U) Change of communication protocol

(U) Inclusion into the Nuclear exploit kit (EK). (U) A significant addition to Locky is the ability to encrypt files on unmapped network drives. This means that even though a drive doesnt appear as a drive letter or attachment, Locky will perform network discovery and try to encrypt files on unassigned drives.3 (U//FOUO) KCTEW Analyst Note: The capability to discover unmapped network drives extends Lockys reach in an enterprise environment significantly, giving the impression that it is traversing the network. The number of variants, loaders, communication changes, etc make Anti-virus and Intrusion Detection systems using signatures less capable of spotting this infection. (U//FOUO) INDICATORS (U) A preferred method for delivery is phishing email containing a bogus invoice attached. The invoice is a Microsoft Word document with a malicious macro embedded similar to Figure 1.

Credit: Bleeping Computer (U) Figure 1



(U) When malicious MSWord document is opened and macros are enable, Locky finds files with the extensions of:

.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf,

.wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak,

.tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg,

.jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch,

.dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb,

.dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11 (Security copy),

.sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx,

.potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx,

.xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots,

.ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF,

.pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat

(U) Locky will skip any files where the full pathname and filename contain one of the following strings:

tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp,

thumbs.db, $Recycle.Bin, System Volume Information, Boot, Windows

(U) Locky encrypts and renames files to the format [unique_id][identifier].locky. So when test.jpg is encrypted it would be renamed to something like A5094B2F762DD993AFC2742E3F5297CD.locky . (U) Locky then deletes all of the Shadow Volume Copies (SVC) on the machine so that they cannot be used to restore the victim's files by executing:

vssadmin.exe Delete Shadows /All /Quiet

(U) In the Windows desktop and in each folder where a file was encrypted, Locky will create ransom notes called _Locky_recover_instructions.txt. This ransom note contains information about what happened to the victim's files and links to a decryption page. Locky alters the systems wallpaper to display the ransom note, similar to Figure 2.

Credit: Bleeping Computer (U) Figure 2



Locky stores information in the system registry under the following keys:

HKCU\Software\Locky\id - The unique ID assigned to the victim.

HKCU\Software\Locky\pubkey - The RSA public key.

HKCU\Software\Locky\paytext - The text that is stored in the ransom notes.

HKCU\Software\Locky\completed - Whether the ransomware finished encrypting the computer. Related files:

%UserpProfile%\Desktop\_Locky_recover_instructions.bmp %UserpProfile%\Desktop\_Locky_recover_instructions.txt %Temp%\[random].exe

(U//FOUO) REMEDIATION / MITIGATION (U) At this writing, the most effective method of recovery is to restore the files from backups.

Assure backup files are available and viable.

After preserving forensic evidence as necessary, completely wipe the machine(s) and rebuild/reinstall software from known clean sources.

o Operation system o Applications

Restore backup

Institute preventative/protective measures. (U//FOUO) KCTEW does NOT recommend paying ransom. There is no guarantee that the criminals will honor the agreement, the criminal may target you again knowing that you have paid ransom before and in general paying the ransom encourages the criminal(s) to try extortion again. (U//FOUO) However, if adequate backups do not exist and the effort to recreate the files is expensive or the content of the files are critical, an enterprise or individual may choose to attempt to pay the ransom. Inside the Locky ransom notes are links to a Tor site called the Locky Decrypter Page. This page is located at 6dtxgqam4crv6rr6.onion and contains the amount of bitcoins to send as a payment, how to purchase the bitcoins, and the bitcoin address you should send payment to. Once a victim sends payment to the assigned bitcoin address, this page will provide a decrypter that can be used to decrypt their files. (U//FOUO) KCTEW Analyst Note: The attacker is hoping that the combination of Locky deleting itself, deleting shadow copies and renaming each encrypted file with a unique identifier complicates the task of recovery to the point that the victim will pay the ransom rather than trying to attempt it. The choices for recovery for this ransomware variant usually come down to either restore from backup copies or paying the ransom. One hospital elected to pay a ransom of $17,000 in the face of the difficulty. 4



Attack Type 2 MSIL/Samas.A

Credit: Microsoft Security Blog (U) Figure 3

(U//FOUO) METHODS / EXPLOITED VULNERABILITIES (U//FOUO) Attacks built around MSIL/Samas.A are different than the majority of other ransomware attacks. It appears the attackers desired outcome is to extort ransom from the target, though it actually resembles a more conventional system compromise and malware attack. (U//FOUO) As show in Figure 3, the attacker used an open-source penetration testing tool ( JexBoss ) to scan systems for vulnerable systems and software. 5 In this case the attacker scanned for outdated and unpatched versions of the JBOSS framework, WildFly application server or various vulnerabilities in Java applications.6 Once inside the network the attacker used several tools to proceed.

Installation on the compromised server of a Python-based SOCKS proxy to conceal communications with systems within the network.

Installation and use of a Windows credentials collection tool to steal user credentials to move laterally within the network.

Network reconnaissance using the Hyena and reGeorg network scanning tools to locate more Windows machines to attack.

Use of stolen credentials to connect to found systems and implant Samsam.exe . (U//FOUO) Analysis indicates the attackers conducted reconnaissance of the network for an extended time in order to identify an appropriate ransom amount based on the perceived value of the targets data. Of note is that the attacks were performed manually, the initial penetration occurred weeks or months before the ransomware attack was launched. 7 (U//FOUO) KCTEW Analyst Note: As mentioned previously, it is important to note that this type of attack is usually NOT automated. It is much more specifically targeted and the attacker is aware of what kind of establishment they are compromising. They do NOT have to confine their crimes to ransomware and could



use a ransomware attack as cover for other crimes, commit multiple crimes or stay resident, lurking in the network waiting for opportunites. (U//FOUO) Once inside the network and various machines are identified as targets, the ransomware attacks are launched and proceed in much the same manner as more traditional ransomware attacks.

(U) The file samsam.exe and a key file with the name consisting of _PublicKey.xml is deposited into the system folder.

(U) The ransomware searches for and encrypts files and names from a fixed list of file extensions and exceptions. using a 2048 bit RSA algorithm. Encrypted files names have encrypted.RSA appended to them.

(U) Similar to the Locky ransomware, the vssadmin.exe utility is used to delete the the Shadow Volume Copies and any backup files.

(U) Deposits a file, HELP_DECRYPT_YOUR_FILES.html in the root folder of any encrypted files and also in the Desktop folder.

(U) After the files are encrypted, a ransomware message is displayed and the malware deletes itself. (U//FOUO) INDICATORS (U//FOUO) FBI has provided a list of indicators and additional information. Because of the length, those documents are included as attachments. Additionally a copy of the files are included with the distribution of this document. Those included are:

(U//FOUO) FBI FLASH MC-000070-MW To see the attached document, click here: (U//FOUO) FBI FLASH MC-000068-MW To see the attached document, click here: (U//FOUO) Samas_A_IOC spreadsheet To see the attached document, click here:

(U//FOUO) Preventative Measures (U//FOFO) These measures address vulnerabilities that enable this attack type, ie: ransomware attacks against hospitals. HOWEVER they should be considered for ANY enterprise. (U) Assure that server based software such as JBOSS, JNI and any Java based applications are patched and the latest versions installed. (U) Adopt active monitoring of application transaction logs. (U) Ensure that a strong password policy is implemented throughout the enterprise. (U) The attackers used stolen or derived credentials> (U) Protect derived domain. (U) Use two-factor authentication when possible. (U//FOUO) REMEDIATION / MITIGATION (U//FOUO) Because the attacker may have been resident in the network for an extended time, KCTEW recommends that it be treated as a full System Security Breach and the appropriate procedures implemented immediately. The attacker has had access to the entire network and the integrity and confidentiality of any system or sub system should be verified. Procedures put in place by MEDSTAR (USBIZ), a Maryland based group of ten hospitals, took all systems, administrative and clinical, off-line and brought them back on-line in order of criticality as each was cleaned and verified. (U//FOUO) The ransomware extortion portion can be treated as one facet of the attack and has similar procedures as the recovery from a Locky attack (ATTACK TYPE 1). As in that attack, an evaluation should be made whether the information can be restored from backups or if there should be an attempt to pay the ransom if the information is critical and cant be replicated or recovered.

TLP: GREEN

The information in this FLASH was obtained through an FBI investigation and is provided in conjunction with the FBIs statutory requirement to conduct victim notification as outlined in 42 USC 10607

TLP: GREEN

25 March 2016 Alert Number

MC-000070-MW

WE NEED YOUR HELP!

If you find any of these indicators on your networks, or

have related information, please

contact FBI CYWATCH immediately.

Email: [email protected]

Phone: 1-855-292-3937

*Note: By reporting any related

information to FBI CyWatch, you are assisting in sharing

information that allows the FBI to track malicious actors and

coordinate with private industry and the United States

Government to prevent future intrusions and attacks.

In furtherance of public-private partnerships, the FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber criminals. This FLASH has been released TLP: GREEN: The information in this product is useful for the awareness of all participating organizations within their sector or community, but not via publicly accessible channels. The FBI is providing the following information with high confidence:

Summary This report is an update to the FLASH released on 18 February 2016, Alert Number MC-000068-MW. Cyber criminals continue to use the ransomware MSIL/Samas.A to encrypt an infected hosts files, allowing them to demand considerable sums of money in return for decryption keys. Actor(s) attempt to infect whole networks with MSIL/Samas.A, increasing the potential of extorting large sums of money from victims. The common method of payment for ransom is Bitcoin (BTC). This update is to provide information about the vulnerabilities and exploits used by the actor(s) for initial intrusion into victim networks. Technical Details The FBI previously identified that the actor(s) exploit Java-based Web servers to gain persistent access to a victim network and infect Windows-based hosts. The FBI also indicated that several victims have reported the initial intrusion occurred via JBOSS applications. Further analysis of victim machines indicates that, in at least two cases, the attackers used a Python tool, known as JexBoss, to probe and exploit target systems. Analysis of the JexBoss Exploit Kit identified the specific JBoss services targeted and vulnerabilities exploited. The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future. FBI indicators based on an ongoing investigation: The JexBoss tool, publicly available on GitHub.com, prompts attackers to input the target URL for JexBoss to check for any of three vulnerable JBoss services: web-console, jmx-console, and JMXInvokerServlet. Depending on which vulnerabilities are detected, the tool then prompts the user to initiate

mailto:[email protected]?subject=Cyber%20Flash%20Alert%20Question

TLP: GREEN


TLP: GREEN

corresponding exploits. The tools exploits are collectively effective against JBoss versions 4, 5, and 6. The payload of each exploit is a Web application Archive (.war) file, jbossass.war. A successful exploit results in unpackaging the .war file and utilizing jbossass.jsp to deploy an HTTP shell for the attacker.

Following initial infection of the network with MSIL/Samas.A, the actor(s) connect via RDP sessions. An open source tool, known as reGeorg, is used to tunnel the RDP traffic over the established HTTP connection. The actors use the Microsoft tool csvde.exe to determine the hosts reporting to the active directory. A list of all hosts found in the directory is compiled into a .csv file or other similar file type. Finally, the actor(s) distribute the ransomware to each host in the network using a copy of Microsofts psexec.exe.

An updated complete list of indicators for known variants and associated files is attached to this e-mail.

Disclaimer: Information provided below is still being vetted. Some of the information is taken from private industry reporting.

Relevant JBoss Common Vulnerabilities and Exposures (CVEs):

CVE ID Affected Service CVE-2015-5188 web-console CVE-2010-2493 web-console CVE-2010-1428 web-console CVE-2012-3347 jmx-console CVE-2011-2908 jmx-console CVE-2010-0738 jmx-console CVE-2013-4810 JMXInvokerServlet

JexBoss Specific Mitigations

JBoss developers published a guide to configuring and hardening JBoss, available at https://developer.jboss.org/wiki/SecureJboss?_sscc=t.

Many of the known vulnerabilities have been patched in the most recent version of JBoss, now known as Wildfly.

https://developer.jboss.org/wiki/SecureJboss?_sscc=t

TLP: GREEN


TLP: GREEN

Defending Against Ransomware Generally

Precautionary measures to mitigate ransomware threats include:

Ensure anti-virus software is up-to-date. Implement a data back-up and recovery plan to maintain copies of

sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.

Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.

Only download software especially free software from sites you know and trust.

Enable automated patches for your operating system and Web browser.

Administrative Note

This product is marked TLP: GREEN. The information in this product is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share this information with peers and partner organizations within their sector or community, but not via publicly accessible channels. No portion of this product should be released to the media, posted to public-facing Internet Web sites, or transmitted over non-secure, external communications channels.

Your Feedback Regarding this Product is Critical

Please take a few minutes to send us your feedback. Your feedback submission may be anonymous. We read each submission carefully, and your feedback will be extremely valuable to the FBI. Feedback should be specific to your experience with our written

products to enable the FBI to make quick and continuous improvements to these products. Feedback may be submitted online here: https://www.ic3.gov/PIFSurvey

https://www.ic3.gov/PIFSurvey

Defending Against Ransomware Generally


Ensure anti-virus software is up-to-date.

Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.




Administrative Note

File Attachmentflash-mc-000070-mw.pdf


TLP: GREEN

TLP: GREEN

18 February 2016

Alert Number

MC-000068-MW

Please contact the FBI with any questions related to this FLASH Report at either your local Cyber Task Force or FBI CYWATCH.

Email: [email protected]

Phone: 1-855-292-3937

Local Field Offices: www.fbi.gov/contact-us/field

FBI Liaison Alert System This product is released at TLP: GREEN. The information in this product is useful for the awareness of all participating organizations, as well as with peers within the broader community or sector. Recipients may share this information with peers and partner organizations within their sector or community, but not via publicly accessible channels.

The FBI is providing the following information with high confidence:

Summary

The threat of ransomware continues to grow due to the relative availability of necessary tools, as well as the potential for extorting large sums of money. Modern ransomware uses strong encryption to render victims files unreadable until the attackers are paid, often in Bitcoin, and release the encryption keys. In a new scheme, cyber criminals attempt to infect whole networks with ransomware and use persistent access to locate and delete network backups.

Technical Details

The FBI is providing indicators regarding businesses that were recently infected with a ransomware variant known as MSIL/Samas.A (a.k.a. Gen.Variant.Kazy or RDN/Ransom). Many of the executables and tools used in this intrusion are available for free through Windows or open source projects. The malware encrypts most file types with RSA-2048. In addition, the actor(s) attempt to manually locate and delete network backups. The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future.

mailto:[email protected]

http://www.fbi.gov/contact-us/field


TLP: GREEN

TLP: GREEN

Federal Bureau of Investigation, Cyber Division Flash Notification

FBI indicators based on an ongoing investigation:

Several victims have reported initial intrusion occurring via outdated JBOSS applications.

After an initial compromise, attackers map, connect to, and infect hosts on the network using several uploaded files, which may include the following:

Filename MD5 Hash

samsam.exe a14ea969014b1145382ffcd508d10156

csvde.exe 9f5f35227c9e5133e4ada83011adfd63

del.exe e189b5ce11618bb7880e9b09d53a588f

selfdel.exe 710a45e007502b8f42a27ee05dcd2fba

tunnel.jsp caa05dd2f9fee1923a2b94b27187d48f

tunnel.class 1a9403307958f52bcbbd985509241047

csvde.exe is used to create a list of all hosts reporting to the active directory in a .csv file.

The actor(s) then distribute the malware to each host in the network using a copy of Microsofts psexec.exe, which may be named ps.exe.

Ransomware is dropped in the C:\Windows\System32 directory as samsam.exe with a key file _PublicKey.xml, which is used to encrypt most file types in the system.

It renames the encrypted files by adding "encrypted.RSA" to their extension.

It then creates the file HELP_DECRYPT_YOUR_FILES.html in the root folder of the encrypted files, as well as in the %Desktop% folder.

This html file contains the instructions on how to decrypt the files by asking you to pay a fee. The following are additional indicators of the executable file, samsam.exe:

SHA 1 Hash ff6aa732320d21697024994944cf66f7c553c9cd

SHA 256 Hash 0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac

File Type Portable Executable 32 .NET Assembly

File Info Microsoft Visual Studio .NET

File Size 213.50 KB (218624 bytes)

Comments MicrosoftSAM

CompanyName Microsoft

FileDescription MicrosoftSAM

FileVersion 2.4.8.4

InternalName samsam.exe

LegalCopyright Copyright 2014

OriginalFilename samsam.exe

ProductName MicrosoftSAM

ProductVersion 2.4.8.4


TLP: GREEN

TLP: GREEN

Federal Bureau of Investigation, Cyber Division Flash Notification

Defending Against Ransomware


Ensure anti-virus software is up-to-date.

Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.




Administrative Note

This product is marked TLP: GREEN. The information in this product is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share this information with peers and partner organizations within their sector or community, but not via publicly accessible channels. No portion of this product should be released to the media, posted to public- facing Internet Web sites, or transmitted over non-secure, external communications channels.

File AttachmentFLASH MC-000068-MW v2.pdf

Ransom MSIL Samas.A IOC List

Ransom:MSIL/Samas.A IOC List

FilenameMD5 HashSHA-1 HashSHA-256 HashFile SizeCompilation timestampProduct VersionCopyrightOriginal file NameLanguageFile typeDeveloped/Compiled with:Subsystem:OS bitness:OS versionPE Sections: MD5 Hash .textPE Sections: MD5 Hash .rsrcPE Sections: MD5 Hash.relocProductProgram database location

VID288722832.exe14721036e16587594ad950d4f2db5f27ed1797c282f0817d2ad8f878f8dd50ab062501ac7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044213KiB (218112 bytes)1/1/16 19:002.4.8.4Copyright 2014samsam.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin324fedbc8baa09deafaaea20a659f9b72bed0b581056989efaa1de31a61a8f4a9ecb7f9e732d5492f8066d7c86402b57a22MicrosoftSAMf:\SAM\selfdel\selfdel\obj\Release\selfdel.pdb,f:\SAM\clients\Sam6\SAM\obj\Release\samsam.pdb

samsam.exea14ea969014b1145382ffcd508d10156ff6aa732320d21697024994944cf66f7c553c9cd0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac213.5 KB (218624 bytes)1/6/16 0:142.4.8.4Copyright 2014samsam.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin3247a556f246357051b2d82ea445571ddbbd0b581056989efaa1de31a61a8f4a9ec06441ad348b483e2458a535949e809cfMicrosoftSAMf:\SAM\selfdel\selfdel\obj\Release\selfdel.pdb,f:\SAM\clients\Sam12\SAM\obj\Release\samsam.pdb

samsam.exe868c351e29be8c6c1edde315505d938b8fb40188f21eb689deffb36438fac45bfed5c2ca58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e213.5 KB ( 218624 bytes )1/6/16 0:222.4.8.4Copyright 2014samsam.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin32450c41c46e16ef466c3caeecfc04c4615d0b581056989efaa1de31a61a8f4a9eca968de9355269eac1945293aceded906MicrosoftSAMf:\SAM\selfdel\selfdel\obj\Release\selfdel.pdb,f:\SAM\clients\Sam15\SAM\obj\Release\samsam.pdb

vid278204644.exefe998080463665412b65850828bce41f203bb8ec1da6b237a092bab71fa090849c7db9bd036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050213.5 KB (218,624 bytes)1/6/16 5:502.4.8.4Copyright 2014samsam.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin3249e0bc1f91f86c8a6c36a54833f705cf9d0b581056989efaa1de31a61a8f4a9ec06441ad348b483e2458a535949e809cfMicrosoftSAMf:\SAM\selfdel\selfdel\obj\Release\selfdel.pdb,f:\SAM\clients\Sam14\SAM\obj\Release\samsam.pdb

samsam.exe0d2505ce7838bb22fcd973bf3895fd2798e3df3ec24b88bbec95af7472085088230dd70effef0f1c2df157e9c2ee65a12d5b7b0f1301c4da22e7e7f3eac6b03c6487a626216.0 KB ( 221184 bytes )1/14/16 20:342.4.8.4Copyright 2014samsam.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin3245a4f12677f71e05b9242b2b0c5d691ccd0b581056989efaa1de31a61a8f4a9ec55a1a5daadb7bfa71fe4cadcb828eebeMicrosoftSAMf:\SAM\selfdel\selfdel\obj\Release\selfdel.pdb,f:\SAM\clients\Sam22\SAM\obj\Release\samsam.pdb

samsam.exe4851e63304b03dc8e941840186c11679bedde43e8c9dc1efbd4171b071cc7697dd25ea7fa763ed678a52f77a7b75d55010124a8fccf1628eb4f7a815c6d635034227177e216.0 KB ( 221184 bytes )1/14/16 20:342.4.8.4Copyright 2014samsam.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin324470ad7680afd4ce231ba687a1c19afced0b581056989efaa1de31a61a8f4a9ec55a1a5daadb7bfa71fe4cadcb828eebeMicrosoftSAMf:\SAM\selfdel\selfdel\obj\Release\selfdel.pdb,f:\SAM\clients\Sam19\SAM\obj\Release\samsam.pdb

samsam.exe02dce579d95a57f9e5ca0cde800dfb0f26d53045468df4f8238306f9e68e7a4283249e40e682ac6b874e0a6cfc5ff88798315b2cb822d165a7e6f72a5eb74e6da451e155212.5 KB (217600 bytes)2/3/16 21:012.4.8.4Copyright 2014samsam.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin3249a91211985e16e648d070526f2dd1b5ad0b581056989efaa1de31a61a8f4a9ec9ace2491fdfefe0edaa0f040277ca5daMicrosoftSAMf:\SAM\selfdel\selfdel\obj\Release\selfdel.pdb,f:\SAM\clients\Sam34\SAM\obj\Release\samsam.pdb

samsam.exe43049c582db85b94feed9afa7419d78cab94ea814ca7cedc4e43d0ff3c646b762f527b13946dd4c4f3c78e7e4819a712c7fd6497722a3d616d33e3306a556a9dc99656f4212.5 KB (217600 bytes)2/5/16 20:512.4.8.4Copyright 2014samsam.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin324440edef761aaeb41ab1f83822356d574d0b581056989efaa1de31a61a8f4a9ec6ce0744cc87c1d64c4ad2d1b184cfd2eMicrosoftSAMf:\SAM\selfdel\selfdel\obj\Release\selfdel.pdb,f:\SAM\clients\Sam35\SAM\obj\Release\samsam.pdb

samsam.exee26c6a20139f7a45e94ce0b16e62bd03c6d7c27070a3838e2b6ac7e97e996b0fe6560fe289b4abb78970cd524dd887053d5bcd982534558efdf25c83f96e13b56b4ee805212.5 KB (217600 bytes)2/5/16 21:252.4.8.4Copyright 2014samsam.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin324b9085cfecc2fd0987ba9bff4577ce4fad0b581056989efaa1de31a61a8f4a9ec6ce0744cc87c1d64c4ad2d1b184cfd2eMicrosoftSAMf:\SAM\selfdel\selfdel\obj\Release\selfdel.pdb,f:\SAM\clients\Sam41\SAM\obj\Release\samsam.pdb

samsam.exe1e22c58a8b677fac51cf6c1d2cd1a0e232a2d1a9d91ce7d9c130a9b0616c40ac4003355d939efdc272e8636fd63c1b58c2eec94cf10299cd2de30c329bd5378b6bbbd1c8191.0 KB12/10/15 15:311.0.0.0Copyright 2015samsam.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin324fac75c830f1631589aa8ac076ef47af0c2e6ffb91d5c567a3c992729d09ee81f5f62fa4e8c18d724dd29d0c71a193138MicrosoftSAMf:\SAM\selfdel\selfdel\obj\Release\selfdel.pdb,f:\SAM\clients\Sam4\enc\SAM\obj\Release\samsam.pdb

samsam.exe3e2642aa59753ecbe82514daf2ea4e88ac82585db4e6c30cc66d94b5a4aa94f7ab52acf0979692a34201f9fc1e1c44654dc8074a82000946deedfdf6b8985827da992868222.0 KB (227328 bytes)2/12/16 17:134.5.1.2Copyright 2000samsam.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin324a55a27c48cad73d7fd857114de7ecdcf95bcf7c792e3b5e9e2695c7f33e5287ca24be5c8929e115ce856987bd6e4bcdaMicrosoftFontsf:\SAM\selfdel\selfdel\obj\Release\selfdel.pdb,d:\SAM\Servers\Sam44\SAM\obj\Release\samsam.pdb

asohima62.exe, samsam.exebe25dffca730684e4db0ed04f809f6c04476e9dc1b397f89fa2e1ec5256fced6dcaff686337b0532c035d5ff7575d749742029a1f86461d2391a324194086be1558f0413225.5 KB (230912 bytes)2/18/16 20:454.5.1.2Copyright 2000samsam.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin324f1f6fe57572ec54fb964c357ba740a6695bcf7c792e3b5e9e2695c7f33e5287c1167662f4d345a3e2f0792554569574bMicrosoftFontsc:\src\Misc\sdel\Release\sdelete.pdb ,x:\SAM\Servers\Sam54-onion\SAM\obj\Release\samsam.pdb

samsam.exe9585F0C7DC287D07755E6818E1FA204C3A4F16238EC07B39873F3CA26A0D9E94FA8835FA45e00fe90c8aa8578fce2b305840e368d62578c77e352974da6b8f8bc895d75b191.50 KB (196096 bytes)12/9/15 23:021.0.0.0Copyright 2015samsam.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin3241F05875E39DCC789F1C77C27D1CD7330C2E6FFB91D5C567A3C992729D09EE81F1F05875E39DCC789F1C77C27D1CD7330SAMf:\SAM\selfdel\selfdel\obj\Release\selfdel.pdb,f:\SAM\clients\test\enc\SAM\obj\Release\samsam.pdb

samsam.exe4c8fb28a68168430fd447ba1b92f4f42dfa673bfbf644eaef6dc6c70ff8db4ceed2db8f16bc2aa391b8ef260e79b99409e44011874630c2631e4487e82b76e5cb0a49307191.5 KB12/10/15 0:431.0.0.0Copyright 2015samsam.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin32226d87d125777cbee5ee87edce29d22a6c2e6ffb91d5c567a3c992729d09ee81f09d1a75d956240b25b30febb675842e6MicrosoftSAMf:\SAM\selfdel\selfdel\obj\Release\selfdel.pdb,f:\SAM\clients\Sam3\enc\SAM\obj\Release\samsam.pdb

samsam.exeacaafbd881b130aba95ccbc2689f07dbcab95f6889b75e2e564e7f225fbd577d23acb1ccf92bf62e6ab099fb2817e0c598b8fdf2882de464205da09fcd2937691a160f0c212 KB (217,600 bytes)2/5/16 16:112.4.8.4Copyright 2014samsam.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin3240DA2163003C29DE87DBAC27D3D00E56ED0B581056989EFAA1DE31A61A8F4A9EC7EB3BBAE20486FC81F9E92981512C269MicrosoftSAMd:\sam\clients\sam38\sam\obj\release\samsam.pdb

MIKOPONI.exef4bdb8fa44c6241c6be37b0c292940db8cca4226ea92ebb524cad7b330edce16d98312c48c44b91b4f583c9042f100e197df6a0e5a8efc0f5032cb02f6ff9b505badb557224 KB (229,888 bytes)3/1/16 8:46 AM8.5.4.5Copyright 1999MIKOPONI.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin3243D9467FC9601E4C97F5F7390AD69E33E13FC023F8198B3D2298FBA4774B920460AE6AE471451297DCB6323475E3080C2MicrosoftFontMinl:\sam\servers\sam-onion - copy\sam\obj\release\mikoponi.pdb

MIKOPONI.exec402ee3ab59b4c07f61c9e72942491b47f5136014a8a3a2611b57d7b784c6a1294489527972a15202a58786f1e5a5d17d307fdae28bbb3569e084c405100df645c84b10e224 KB (229,888 bytes)3/1/16 17:318.5.4.5Copyright 1999MIKOPONI.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin32481CB4C6E373B054FA27203B1F97D8D3C13FC023F8198B3D2298FBA4774B920470AE6AE471451297DCB6323475E3080C2MicrosoftFontMinx:\sam\servers\sam-onion-no-check-lock-file\sam\obj\release\mikoponi.pdb

MIKOPONI.exe3e4fb79789528238d5696267503eae23ec86d9f4356042cd425fcf7fba5b9b97b42abd59cbc973f53ad2edcc316671785d41c96b3176efdc7369d9d94d4183d3f78318b0226.00 KB (231424 bytes)2/29/16 15:348.5.4.5Copyright 1999MIKOPONI.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin324D627CF73CB7539C678DA2C4E9F8F1F5E13FC023F8198B3D2298FBA4774B9204810F9B5F862133265078480CAF75EB82AMicrosoftFontMinx:\SAM\Servers\Sam-onion\SAM\obj\Release\MIKOPONI.pdb, c:\src\Misc\sdel\Release\sdelete.pdb

MIKOPONI.exe38dede398bc83a68c4319ded918c21190e25bd9f7dc0c86ba9b4455711417040ecafa86eee1c0ca9787228d35a17e0083f05eba0146616f0543787b29bd567069a295e57224 KB (229,888 bytes)3/2/16 17:338.5.4.5Copyright 2000MIKOPONI.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin32221145571C3C503BE4B2C4F2465D7B36113FC023F8198B3D2298FBA4774B920480AE6AE471451297DCB6323475E3080C2MicrosoftFontMinx:\SAM\Servers\Sam-onion\SAM\obj\Release\MIKOPONI.pdb, c:\src\Misc\sdel\Release\sdelete.pdb

MIKOPONI.exe, binokin.exe7b50196dcad61ac0e0f16cfaf4d88894e74c4c3be146e761d8520245647cfc359f8d864ae92d8dddeaa037ba22c5a004bba2e81e764fd38e6b49875c416810a619193976224KB(229,888bytes)3/1/20168:45:42AM8.5.4.5Copyright2001MIKOPONI.exeLanguageNeutralExecutableapplication(Win32EXE)MicrosoftVisualC#/Basic.NETWindowsGUIWin3220CD8CC33AC42B901A604C0ED73ACB5A613FC023F8198B3D2298FBA4774B92049602C6757DC1D0B868D494804DFC68844MiCro Oragnsl:\sam\servers\sam-onion-copy\sam\obj\release\mikoponi.pdb

MIKOPONI.exe, bikaner.ex_, Mikoponi.exe, bilkaner.exe, 3-16 malware(29).exe5fd2db03fffa15744274e61479cc7ce1c9ff43b7c169d6a1dd0a59aef4c2a532594ecffa47f9d6aa6e14e20efa8732ed9228e1806316c31a2fa5a359f30693c3ccbf0340211 KB (216,576 bytes)3/10/16 5:011.1.1.3Copyright 1999 By Alexandra Ivanov"MiCro OragnsLanguageNeutralExecutableapplication(Win32EXE)MicrosoftVisualC#/Basic.NETWindowsGUIWin322AA7532B5511BF7BD4D4A4E633A965BF8E801A22C5A7BB76A1850AE5971867C18067C0D8E02E2136695952A43A2A40164MiCro Oragnsi:\sam\servers\sam-onion-no-check-lock-file-enc-all-ext\sam\obj\release\mikoponi.pdb

MIKOPONI.exe, bikaner.ex_, Mikoponi.exe, bilkaner.exe, 3-16 malware(29).exedef637beb3911dce96fda8cdd36c19859511c013de60e29c770f997d58f96bcee9d1dca85e7ab76187c73780cd53a6e2b9d0c9b4767172543ee56e7dc8cf4e8093fc6729212 KB (217,088 bytes)3/18/16 19:091.1.1.3Copyright 1999 By Alexandra Ivanov"MiCro OragnsLanguageNeutralExecutableapplication(Win32EXE)MicrosoftVisualC#/Basic.NETWindowsGUIWin322EF39F6C1E584550EECF6111B72F9F54FE801A22C5A7BB76A1850AE5971867C183114B7677A15FC376F842D0D6529B2BAMiCro Oragnsi:\sam\servers\sam-onion-no-check-lock-file-enc-all-ext\sam\obj\release\mikoponi.pdb

MIKOPONI.exe, bikaner.ex_, Mikoponi.exe, bilkaner.exe, 3-16 malware(29).exe2c49a8fdc32be8983c67ea4fd0faac4d3112e834d6c0b099e13d03bcec60dc154a84154f7e69b0c6b97c2e116e492f641c836d9d36093cefa3ed7ee53fcaa052bedcde53212 KB (217,088 bytes)3/18/16 18:241.1.1.3Copyright 1999 By Alexandra Ivanov"MiCro OragnsLanguageNeutralExecutableapplication(Win32EXE)MicrosoftVisualC#/Basic.NETWindowsGUIWin322775BDC56970DDF6D7DC4142B589BA938E801A22C5A7BB76A1850AE5971867C183114B7677A15FC376F842D0D6529B2BAMiCro Oragnsi:\sam\servers\sam-onion-no-check-lock-file-enc-all-ext\sam\obj\release\mikoponi.pdb

MIKOPONI.exe, bikaner.ex_, Mikoponi.exe, bilkaner.exe, 3-16 malware(29).exe64082dd282a8ca6b9b7c71de14a827c40897ff3bdddacf825eb5643a2a43e7172b95544576dec6a3719af5265d35e3fa9793972b96ca25a1d70a82a4ca0c28619051f48b212 KB (217,088 bytes)3/18/16 19:031.1.1.3Copyright 1999 By Alexandra Ivanov"MiCro OragnsLanguageNeutralExecutableapplication(Win32EXE)MicrosoftVisualC#/Basic.NETWindowsGUIWin322E801A22C5A7BB76A1850AE5971867C18E801A22C5A7BB76A1850AE5971867C185FB8062753BA60254CE1F54DF2F25B46MiCro Oragnsi:\sam\servers\sam-onion-no-check-lock-file-enc-all-ext\sam\obj\release\mikoponi.pdb

MIKOPONI,carinol2.exe4bdab54848d8fcb10aa9daba624593340fa77687cb28a5c2397ee453c2c817f5978750ae362b1db3a7a36cbcf73554f0dbf63450d99e7f1e2b58b6d9bc375da080bdde30212 KB (217,088 bytes)3/18/16 19:091.1.1.3Copyright 1999 By Alexandra Ivanov"MiCro OragnsLanguageNeutralExecutableapplication(Win32EXE)MicrosoftVisualC#/Basic.NETWindowsGUIWin322BCC89B7325595E8AE015473EA2CEE76FBCC89B7325595E8AE015473EA2CEE76F3114B7677A15FC376F842D0D6529B2BAMiCro Oragnsu:\sam\servers\sam-onion-no-check-lock-file-enc-all-ext\sam\obj\release\mikoponi.pdb

Malicious Indicators Associated with Ransom:MSIL/Samas.A

FilenameMD5 HashSHA-1 HashSHA-256 HashFile SizeProduct VersionCopyrightOriginal file NameLanguageFile typeDeveloped / compiled with:Subsystem:OS bitness:OS versionCompilation timestampPE Sections: MD5 Hash .textPE Sections: MD5 Hash .rsrcPE Sections: MD5 Hash.relocProductVersionProgram database locationFound byComments

tunnel_jsp.class0745b7c4de93b759e0f8f238aa0676fec8c022927b8d3057a3c95b4b51840b7102a5c7033e9b24135e29cb4f9c6e45ced9b567c8eb173f66eda2b6d97278a5f170067def5.59 KB (5,729 bytes)N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

tunnel.class1a9403307958f52bcbbd985509241047N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AUsed to proxy RDP sessions over HTTP.

tunnel_jsp.java202b1350b6da34e1422c10124adbbe97f993a4b417fc4b1c8363e636ba78f7236844b2c239c29f232249b6150d68e4fbbebf2117c190cc430537dc65c74cd1e0ed5a2de46.37 KB (6,526 bytes)N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

reg1.bat24d6df11d651bff9bab00743a3101e2627834c083fa3bba7473ef739ed6914d870808fd1ea06ab55771d7e27c3787acf29378cc9effa727c6148d9738f7f6b6f9a8a8aa3148 bytes (148 bytes)N/AN/Areg1.batN/AbatN/AN/AN/AN/ANAN/AN/AN/AN/AN/AN/ALaunches sqlsrvtmg1.exe for each computer name found in list.txt.

Temp33.zip281bca4528d1b84e4265f34d66708dd18b0c8267f391aadc1846b8f3301c49c8b285305c6c47a1f748b21809a48ca584a7a4b37a3ac2b82bf6777dd30d7644f564ca01291.9 MB (1981014 bytes)N/AN/ATemp33.zipN/AZIPZIPN/AN/AN/ANAN/AN/AN/AN/AN/AN/AZip folder containing f.bat, f1.bat, list.txt, ps.exe, reg.bat, reg1.bat, samsam.exe, sqlsrvtmg1.exe, and multiple public keys (PA incident)

f.bat2a01a13e10157dec20f8d6086183e272f7801dd7fc709a8b247ac355ed0bebad9e8cab0b00dbc45554b0fbb75186f9b45fbe329c97a590bfd3db6a0bbce1a0694ee7277e191 bytesN/AN/Af.batN/AbatBatch ScriptN/AN/AN/AN/AN/AN/AN/AN/AN/AN/ACopies samsam.exe and (computer name)_public key.keyxml to C:\windows\system32\, for each computer name found in list.txt and deletes all shadow copies silently.

list.txt2f06bd1a99cf6e258cdd1ab8908980374b78a2ea1ca75930c35c87664eb027804e4bb57e01c570a9776626979f1de8a9cd8549bbbfe8f131819103dd6b490930c7b47d4f4.37 KB (4,477 bytes)N/AN/Alist.txtN/AtxtN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AA list of computer names

jbossass.warcbdeaf83f58a64b09df58b94063e01466fdefd995220a050bdaed3673a796dfb12570ad0905ba75b5b06cbb2ea75da302c94f6b5605327c59ebdb680c6feabdbc9e242d3685 bytesN/AN/AN/AN/AwarN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

jbossass.jsp3cd75a261debd9fb2b16368266fba7787e21ccb056ffb5ce9312a0a5490deaf48c6178b441e0fb374e5d30b2e2a362a2718a5bf16e73127e22f0dfc89fdb17acbe89efdf378 bytes (378 bytes)N/AN/AN/AjspN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

privkey.zip55ea726545ed1b6cb4b3b4b5426f71de05ac048b8eee61f81ce1cd863ceae2dfc964de33b06dd6f67468c46a8ddde68d9d9ad61d8ba83a1f5098d08e631066e82f0e8338645 KB (660,763 bytes)N/AN/Aprivkey.zipN/AzipZIPN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AZip folder containing mulitple private keys

dec.exe56746bd731f732e6571b707b7a0394764570aba94410ec8b23d44a2b346fa28fb1f7a39cb513eb31a55f8cb177a13fe820ba0017acceb1a8f66d8f0ad767bb3cd4989cc413.5 KB1.0.0.0Copyright 2015dec.exeN/AExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows ConsoleWin324Sat Jan 30 19:36:33 20160CF7DBA18CAAFF3ABE5010E936CF388F8F0BEAE161486194EBD37E1D9ED84FBE20EA13BC0B387CFE48EA4F8F3AFB2D0CSAMDdec.exe1.0.0.0,f:\sam\original\samddec\samddec\obj\release\samddec.pdbSamsam.exe decryption executable from tinyupload (PA incident)

sqlsrvtmg1.exe5cde5adbc47fa8b414cdce72b48fa783a67c029d5015f059e5ee23979fbd1afd581e79c7b4d9339aa4df8abae92edf4bba969bec9dba06c9c9acf59214e6aeb258cae2ea8.5 KB ( 8704 bytes )2.4.8.3Copyright 2000delfiletype.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C# / Basic .NETWindows GUIWin3241/30/16 22:002798185d8f170b88ad6c470c8f897c16fb8754b707acec68ecc604ed745d8913e6af58b22bf99f016d71fc685d33124eMicrosoft Del Update2.4.8.3f:\SAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdbVirus TotalAn executable that deletes any file with the appended name "backup",.abk", ".ac",".back",".backup", ".backupdb", ".bak", ".bb", ".bk", ".bkc", ".bke",".bkf",".bkn",".bkp", ".bpp",".bup",".cvt",".dbk",".dtb", ".fb",".fbw",".fkc",".jou",".mbk",".old",".rpb",".sav",".sbk",".sik", ".spf", ".spi",".swp",".tbk",".tib",".tjl",".umb",".vbk",".vib",".vmdk",".vrb",".wbk"

reg2.bat6299bf4d7480f77019802c0fe508cf45b938989222a1d5c86a8dbef70160b57b544c2dc3ac7067c2907d1783cd3456b8c5acf893aa18d8c6885e800568b55f7d7ed3c236147 bytes (147 bytes)N/AN/Areg2.batN/AbatN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

selfdel.exe710a45e007502b8f42a27ee05dcd2fbaN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AA C# .NET complied binary that deletes samsam.exe. Found embedded in samsam.exe.

tunnel.jsp809a37699a00b3c10cf3a7d61a42497c553d6153d93f15dd2e0b0a829ba7689f491a30a4e46fc3802fa5cb85789c527c616561b3eb7f16919121c3c79d084ed229d06d164.65 KB (4,768 bytes)N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

wC.vbs8a1d2885dfb74ac50f48c32f246458d580b873702a37956458e18acbe7b82a764b889cd720be676b9271e953b154bb332ec12064dfc2372b8d56c1e491746bd9921a2c3b308 bytes (308 bytes)N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

p.bat95a4b4fdccaca897d015c7170be9de8d47f5eaa3b9e5648474a183229d0fe8b20b74f3dc3f625a7388939a8662109d17f8c44ac0c68bfe7014c2cd4d93d0de759fa5307e490 bytes (490 bytes)N/AN/Ap.batN/AbatN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

csvde.exe9f5f35227c9e5133e4ada83011adfd63N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AA Microsoft tool that imports and exports data from Active Directory Domain Services and stores that data in a comma separated value (csv) file.Csvde is a legitimate command-line tool that is built into Windows Server and resides in the %windir%/system32 directory.

reg.bata1d4eb5cb9f64ce6d4a4f55b43d5dceaN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AUsed to launch the samsam.exe

PSEXESVXC.EXEa283e768fa12ef33087f07b01f82d6dd26c0c7fbc2ee8b2aa8c1ae0f76af95d5fda729031d4d787047200fc7bcbfc03a496cafda8e49075d2fbf2ff7feab90a4fdea8f89176 KB (181,064 bytes)

ps.exe(PSExec)aeee996fd3484f28e5cd85fe26b6bdcdcd23b7c9e0edef184930bc8e0ca2264f0608bcb3f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5373 KB (381,816 bytes)N/AN/Aps.exeN/AExecutable application (Win32 EXE)Microsoft Visual C++ 8Windows ConsoleWin324Mon Apr 26 20:23:59 2010B6822DF1B8A74E6089D1E3DD94BD54E50DD8E6E638E604AE0E8F26627A45AEF2rdata:10C63E2E8FE35A2CBE6AE6814F7756A6, .data F9850349E6EDFB121B1AA80BE256E852Sysinternals PsExec1.98c:\src\pstools\psexec\exe\release\psexec.pdb

f0.batb8b2c13f55210a79bf7c7949558c9361c0fbfd1d39968ec53ffdf75e5555c0006fc61ab7fb86a97a582c35e3ad99f423a6c2d79781e00531927f4e511920f1529bc55b94190 bytes (190 bytes)N/AN/Af0.batN/AbatN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

help.txtc0b38d29b37c34201606055ede9eced9c411dbf62c26c0367d7e3a6903a6e8016c514fca7fec409f6fd5c280dd82405f8267b2f233355e963564d74a3729b74ad1eef43f484 bytesN/AN/Ahelp.txtN/AtxtN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AHelp file for dec.exe

tunnel.jspcaa05dd2f9fee1923a2b94b27187d48fN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AUsed to proxy RDP sessions over HTTP.

del.exee189b5ce11618bb7880e9b09d53a588f964f7144780aff59d48da184daa56b1704a8696897d27e1225b472a63c88ac9cfb813019b72598b9dd2d70fe93f324f7d034fb95568 KB (581,732 bytes)1.61Copyright 1999-2012 Mark Russinovichsdelete.exeLanguage NeutralExecutable application (Win32 EXE)Microsoft Visual C++ 8Windows ConsoleWin32Microsoft Visual C++ 8Sat Jan 14 18:06:53 2012A2F62FCB0A5724091981FFD869F858B4601B278C419AA6BD7794CC85CED85721.rdata B4404E299743806866081071F9194AB6, .data 9B5B9643241417A53EBB221A1DDA65F91.61c:\src\misc\sdel\release\sdelete.pdb

f.batfd95b06ffda7113c046b5419dfb1cff52d1208ded1eea8dcf325aedc069b90040d3d0daf06abe3c4c1b250c1e9a6c9158019dbcda3f3dd308943accd820b24fe883a25e692 bytes (92 bytes)N/AN/Af.batN/AbatN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/A

f1.batfdeac41ba3e69bc4d8b1a89ac237001bed259b26ef7875da13d0aa8a51e4eca51bcfbf45840d98baf1445af401a8180cb5464588bf368e4e0754c9f7f3e329345a22610d93 bytesN/AN/Af1.batN/AbatBatch ScriptN/AN/AN/AN/AN/AN/AN/AN/AN/AN/ACopies sqlsrvtmg1.exe to C:\windows\system32\, for each computer name found in list.txt.

com.csvN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AThe output file from csvde.exe.

css.jspN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AModified version of the web shell JSP File Browser. JSP File Browser is a program that allows remote web-based file access and manipulation, such as uploading and downloading files deleting files, creating directories and launching external programs.

HELP_DECRYPT_YOUR_FILES.htmlN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AAn html page to direct victims to a WordPress site and bitcoin address for payment.

invodermngrt.warN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AA file uploaded within the JBOSS directory containing css.jsp and csvde.exe.

list.txt or list.csvN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AA list of hosts on the network.

ok.txt, faid.txtN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/ARecorded which machines were currently present on the network, Recorded which machines were currently present on the network.

reGeorgN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AOpen source tool used to tunnel RDP over HTTP (as 127.0.0.1:).

metasploit.dat5e00ebcbbe7e4ad8ff212f12a1337127N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AMetasploit.dat file for Java payloads Spawn=2URL=http://103.1.184.92:8080/INITJM

metasploit.dat47976a132c3ebbdaf5ae94e33f39aea1N/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AMetasploit.dat file for Java payloads Spawn=2LHOST=2.10.169.223LPORT=4444

tuy.zipN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/AN/ACompressed zip file containing f.bat, list.txt, ps.exe, pubkey.zip, reg.bat and samsam.exe.

Decypt Sofware and Help Files

FilenameMD5 HashSHA-1 HashSHA-256 Hash

dec.exe48964c1b74fa67242d9d519d0157268abce5824c7a43507ece76e0e5ceedec67f8399fd7908e12ee98b92eff821a592e268267b375d4233f0cdd41ffa56d33564e18ac44

dec.exe56746bd731f732e6571b707b7a0394764570aba94410ec8b23d44a2b346fa28fb1f7a39cb513eb31a55f8cb177a13fe820ba0017acceb1a8f66d8f0ad767bb3cd4989cc4

help.txtdc33124df8ac2e245550830ac7c4e069fcd044c6179c85a240ef044d89e0fd659f0bb8bf4ef24d34c887280c3ad76f22b4cdf1aa1474292661a96185b95a4413500f4445

help.txtc0b38d29b37c34201606055ede9eced9c411dbf62c26c0367d7e3a6903a6e8016c514fca7fec409f6fd5c280dd82405f8267b2f233355e963564d74a3729b74ad1eef43f

help.txt3c9166ec536f9b0b36bfd645fb700aa4be6279f8120322ae709c8fed1a718b56cb840f4c4306181364b8ba411ebf134b3c8e740d12565f17eb3b521c58d2fa7a09f04529

help.txta66fb58ab2c9016a8f8a7564f9958c3508f06a9827fa27dc0704b5ceb05c4bfe6b5694f06c94cf3e227728ea4c95333c403a126d81ac716f23408c25d9446791d1a33b3a

help.txt03ea6ea565d4e7d27036160e3a76a5538c932bbca091562f193cc965cbefe0dae6066befa6053aeccab0df1938d82c424d394deb3440ddac8dc921fdedbb96e4737777dc

Antivirus Scan Results

Scan engineDetection

Ad-AwareGen:Variant.Kazy.782539

AegisLabGen.Variant.Kazy!c

Agnitum

AhnLab-V3

Alibaba

ALYacGen:Variant.Kazy.782539

Antiy-AVLTrojan/Win32.SGeneric

ArcabitTrojan.Kazy.DBF0CB

AvastWin32:Malware-gen

AVGRansomer.KVY

Avira (no cloud)TR/Ransom.218624.3

AVwareTrojan.Win32.Generic!BT

Baidu-International

BitDefenderGen:Variant.Kazy.782539

Bkav

ByteHero

CAT-QuickHealRansom.Samas.r3

ClamAV

CMC

Comodo

CyrenW32/Ransom.MPPP-7951

DrWebTrojan.Encoder.3969

EmsisoftGen:Variant.Kazy.782539 (B)

eScanGen:Variant.Kazy.782539

ESET-NOD32MSIL/Filecoder.AR

FortinetW32/Agent.WB!tr

F-Prot

F-SecureTrojan:W32/NomadSnore.D

GDataGen:Variant.Kazy.782539

IkarusRansom.MSIL.Samas

Jiangmin

K7AntiVirusRiskware ( 0040eff71 )

K7GWRiskware ( 0040eff71 )

KasperskyTrojan-Ransom.MSIL.Agent.wc

MalwarebytesRansom.FileCryptor

McAfeeRansomware-SAMAS!A14EA969014B

McAfee-GW-EditionRansomware-SAMAS!A14EA969014B

MicrosoftRansom:MSIL/Samas.A Ransom:MSIL/Samas.B

NANO-Antivirus

nProtect

PandaTrj/GdSda.A

Qihoo-360HEUR/QVM03.0.Malware.Gen

RisingPE:Malware.Generic/QRS!1.9E2D [F]

SophosTroj/Ransom-CIG

SUPERAntiSpyware

SymantecTrojan.Gen

Tencent

TheHacker

TotalDefense

TrendMicroRansom_CRYPSAM.B

TrendMicro-HouseCallRansom_CRYPSAM.B

VBA32

VIPRETrojan.Win32.Generic!BT

ViRobotTrojan.Win32.Z.Agent.218624.AI[h]

ZillyaDropper.Agent.Win32.229787

Zoner

File Attachmentsamas_a_ioc_list.xls



(U) PREVENTATIVE MEASURES (APPLICABLE TO BOTH ATTACK TYPES) (U//FOUO) Be very careful about opening unsolicited attachments. Due to the continued evolution of ransomware/malware toward defeating Anti-Virus and Intrusion Detection systems, the best preventative measure is to not click on malicious links in email, do not download and open malicious attachments in email, do not download infected or malicious free software. (U//FOUO) USER EDUCATION is a key prevention practice. Implementing a cyber security awareness program with periodic, realistic training can significantly reduce the risk of ransomware and malware attacks through phishing emails. One security company measuring 300,000 users over a years time saw a drop in clicks on malicious email from 15.9 percent to 1.2 percent when training had been implemented.8 (U) SUGGESTED PROTECTIVE MEASURES

(U) Implement a comprehensive backup process o Offline copies with versioning capabilities. o Dont depend on default backups to the cloud. o Test the effectiveness and validity of backups periodically

(U) Segment enterprise network(s) o Separate functional areas with firewalls, o Implement and enforce detailed access policies by department o Separate client and server networks, so systems and services can only be accessed if really

necessary.

(U) Dont enable macros by default. o Most Windows ransomware in recent months has been embedded in documents distributed as

email attachments. o Consider using Microsoft Office viewers.

These viewers will let you see what a document looks like but do not support macros.

(U) Implement least privilege policies. o Dont give more login power than needed. o Dont stay logged in as an administrator any longer than is strictly necessary o Avoid browsing, opening documents or other regular work activities while you have

Administrator rights.

(U) Keep your operating system and software up-to-date with the latest patches. o Vulnerable applications and operating systems are the target of most attacks. Ensuring these

are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.

o Often there is too much faith place on antivirus software while ignoring patching. Securing an environment is a multi-front campaign, and over-reliance on one strategy can lead to a network/system compromise.

(U) Keep Anti-Virus and IDS software up to date. o Many strains of malware are becoming increasingly resistant to signature based detection, if

signatures and the software itself is not kept current, it will not be able to deal with new strains of malware.

(U) Use application whitelisting to help prevent malicious software and unapproved programs from running.

o Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.

(U) Implement Defense-in-Depth processes. o The defense-in-depth strategy encourages businesses to use a variety of security practices and

technology to deter any one threat. Technologies or processes may be circumvented by



attackers, and when they are circumvented, a lack of multiple layers enables ransomware to propagate should one defense layer fail.

(U) Keep informed about new security features or newly discovered vulnerabilities in your application and operating system software.

(U) REPORTING NOTICE

(U) Please report any occurrence or attempt at ransomware extortion or any other cyber related incident to:

FBI CYWATCH Email: [email protected] Phone: 855-292-3937 or

KCTEW Cyber Intelligence Email: [email protected] Phone: 816-413-3588

This product pertains to Standing Information needs: HSEC-1, KCTEW-SIN01.13.2, KCTEW-SIN01.13.3, KCTEW-SIN01.13.4, KCTEW-SIN01.13.5

THIS PRODUCT IS INTENDED FOR THE CYBERSECURITY AND CRITICAL INFRASTRUCTURE / KEY RESOURCES COMMUNITIES.

The KCTEW CTIP (Cyber Threat Intelligence Program) does not provide consulting, remediation or investigative services, but supplies information about specific threats, analysis and other information to its Federal, State, Local, Tribal and Private Industry partners to utilize in their Cyber Terrorism/Cyber Crime prevention efforts.

Comments and questions regarding this product should be directed to:

KCTEW CTI Staff 816-413-3588

[email protected]

1 CryptoWall, Locky Dominate Ransomware Landscape: Report http://www.securityweek.com/cryptowall-locky-dominate-ransomware-landscape-report Accessed: 04/13/2016

2 Locky Variant Changes Communications and Spreads With the Nuclear EK https://securityintelligence.com/news/locky-variant-changes-communications-and-spreads-with-the-nuclear-ek/ Accessd: 04/13/2016

3 The Locky Ransomware Encrypts Local Files and Unmapped Network Shares http://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/ Accessed: 04/13/2016

4 Hospital pays $17k for ransomware crypto key http://arstechnica.com/security/2016/02/hospital-pays-17k-for-ransomware-crypto-key/ Accessed: 04/13/2016

mailto:[email protected]:[email protected]:[email protected]



5 SAMSAM: THE DOCTOR WILL SEE YOU, AFTER HE PAYS THE RANSOM http://blog.talosintel.com/2016/03/samsam-ransomware.html Accessed: 04/13/2016

6 Maryland hospital group hit by ransomware launched from within http://arstechnica.com/security/2016/03/maryland-hospital-group-hit-by-ransomware/ Accessed: 04/13/2016

7 A threat actor deployed ransomware weeks to months after compromising the system. https://www.secureworks.com/blog/ransomware-deployed-by-adversary Accessed: 04/13/2016

8 Security Awareness Training Features https://www.knowbe4.com/security-awareness-training-2016-features/ Accessed: 04/13/2016

RANSOMWARE ATTACKS ON US HOSPITALS

Documents

Transcript of RANSOMWARE ATTACKS ON US HOSPITALS