Why malware like the Samsam ransomware are so dangerous for hospitals?

The FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware, why it is so dangerous?

It is emergency, every week security experts launch an alert on a new ransomware, the extortion practice is becoming a profitable business for criminal gangs worldwide. Recently the US and Canada issued a joint warning about the recent surge in ransomware infections. According to the Reuters, the FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware, that targeted several hospitals. The law enforcement Agency also shared IoC for the Samsam threat to help organizations monitoring for infections.

The law enforcement Agency also shared IoC for the Samsam threat to help organizations monitoring for infections.

“The FBI is distributing these indicators to enable network defense activities and reduce the risk of similar attacks in the future,” the advisory said.” states the advisory.Among the victims of the Samsam Ransomware there is the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington area.The bad actors behind the attack on MedStar requested 45 Bitcoins (about US$18,500) for restoring the encrypted files.

MedStar did not pay the Ransom because it has a backup of the encrypted information, a situation rare that advantage the attackers behind ransomware-based campaigns.

The IT department of the MedStar Hospital detected the infection at an early stage and was able to stop the Samsam Ransomware from infecting internal systems.

The MedStar incident demonstrates that a proper security posture, an early response and the implementation of effective best practices like data backup are necessary steps for a right approach to prevent damage from ransomware-based attacks.

In the specific case, the Samsam ransomware is not a new threat, it has been around since last few years targeting businesses and organizations worldwide.

Samsam is considered a very interesting threat by experts because it doesn’t require the victim’s interaction.

Typical victims get a ransomware infection by clicking on a malicious link, by opening an attachment or through a malvertising, but the Samsam ransomware targets servers instead end-users.

The threat first exploits unpatched vulnerabilities in JBoss application servers by using JexBoss, an open-source penetration testing tool. Once exploited the flaws, the attackers get remote shell access to the infected servers and install the Samsam ransomware onto the targeted Web application server.

Once the server has been compromised, attackers use it to spread the ransomware client to Windows machines and encrypt their files.

“The Samas infection chain diagram illustrates how Ransom:MSIL/Samas gets into the system.   It starts with a pen-testing/attack server searching for potential vulnerable networks to exploit with the help of a publicly-available tool named reGeorg, which is used for tunnelling. Java-based vulnerabilities were also observed to have been utilized, such as Java-based vulnerabilities were also observed to have been utilized, such as CVE-2010-0738 related to outdated JBOSS server applications.

It can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well.  When it has done so, it will list the stolen credentials into a text file, for example, list.txt, and use this to deploy the malware and its components through a third party tool named psexec.exe through batch files that we detect as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C.” states a blog post published by Microsoft on the threat.


Such kind of threat is particularly insidious for any organizations, especially the ones that works directly with the public, like transportation services and hospitals.

The number of ransomware infections in the healthcare industry is rapidly increasing, the threats in many cases are able to cause the paralysis of the infrastructure with serious damages in the middle and long term.

In February, two German hospitals were infected by a ransomware, in a similar way occurred recently at the US Hollywood Presbyterian Medical Center. The Los Angeles hospital paid about $17,000 to the crooks for restoring patients’ files.

Recently the systems at the Methodist Hospital in Kentucky that’s been infected. According to NewsChannel10, the Methodist Hospital in Henderson was hit my a ransomware that locked patients’ files and is demanding money for to regain access to them.  Officials say that the hospital paid about $17,000 to those hackers for the access back to the patients’ files.

Pierluigi Paganini

April 6, 2016

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Global InfoSec Awards for 2024 are now Open! Take advantage of co-marketing packages and enter today!