Wanted by the FBI: ransomware, dead or alive

Federal agents ask for help in tracking down “suspects” on the loose.

You can call him, “Samas.” He is one of the Federal Bureau of Investigation’s most wanted right now.

But Samas is not human—he’s a breed of ransomware that is terrorizing people across the U.S.

“We need your help!” the FBI said in a confidential emergency advisory, according to Reuters, help exposing Samas before he strikes again, and again.

The advisory was dated March 25 and went out to businesses and software security experts, Reuters reported. The FBI is raising the alarm because the hostage-takers behind “Samas” are increasing their search for victims, the BBC said.

A number of hospitals have been hit by ransomware attacks in the last few months, including a Canada hospital that refused to pay but recovered its computers, to a Hollywood hospital that was sent into a tailspin and paid $17,000 in ransom.

Who is Samas?

His full name is MSIL/Samas.A, according to the FBI, and he can come in several different forms.

Researchers at Microsoft say MSIL/Samas is different from your typical ransomware that comes through a sneaky e-mail that convinces you to click on something or give away your username and password.

This malware, emerging in the past few months, gets in another way. Researchers said in a post that it looks for systems with outdated software, particularly JBOSS software, and then tunnels in.

The result is a note on your computer, from Samas, telling you your files are encrypted, and they have the key, Microsoft researchers said:

You just have 7 days to send us the Bitcoin after 7 days we will remove your private key and it’s impossible to recover your files.

Conveniently, the message explains you how you can get bitcoin with Western Union, a bank wire, a cash deposit and more, and suggests you look up the encryption method on Wikipedia if you would like to know more about how locked up you really are.

How did he get his name? Microsoft says it combines information about the malware’s platform, family name and variant into one name, like this: platform/family.variant. Thus, Samas’ technical name, according to Microsoft, would be MSIL/Samas.A.

More damage

The FBI said MSIL/Samas.A can lock up entire networks, not just one computer at a time, as some ransomware has done in the past, Reuters reported.

The agency wants organizations to check to see if they have been attacked, or have found other evidence, and if so, to contact the FBI’s CYWATCH cyber center, the alert said.

“Presumably, they would be looking for clues as to the identity of the attackers and/or a way to shut down or disrupt their infrastructure,” said Razvan Stoica with cybersecurity company Bitdefender.

Which is better, dead or alive?

If you spot Samas, report him. But bullet casings and fingerprints won’t be the evidence that will bring Samas down. 

Agents will want samples of the ransomware, network logs and, best of all, a case of the ransomware actually in operation for “live” analysis, Stoica told Archer News.

“If the FBI can collect victim data, it can start compiling IOCs [indicators of compromise] and collecting intelligence, especially the money trail,” said Dewan Chowdhury with SCADA (supervisory control and data acquisition) security company MalCrawler

“The FBI’s cyber task force has agents in Eastern Europe, and if the trail leads there, they can utilize their counterparts in those countries to assist in the investigation,” he added.

Who is behind Samas?

The digital evidence investigators want may also uncover the systems the computer kidnappers are using to do their dirty work.

“This kind of data could lead to the discovery of command and control servers, which can then be seized to further track down the perps or simply shut down, hopefully also retrieving keys in the process,” said Stoica.

It can be hard to track down command and control servers for ransomware, Stoica said.

“With Tor [an anonymous communication network] adoption among cybercriminals on the rise, it is getting harder,” he said.

Urgent alert

“Ransomware has been around for a while, but why is it that all of sudden the FBI takes interest in it?” asked Chowdhury.

“The amount of high-profile victims like hospitals has allowed this malware to make the front page of major news publications and talked about by common people,” he explained. “The public and industry is demanding justice for the perpetrators behind the malware attacks.”

In addition, some other kinds of cyber attacks have decreased, he said.

“Cyber espionage is almost at a standstill because the Chinese espionage activity in America is currently paused,” Chowdhury told Archer News. “So this opens up resources for the federal law enforcement agencies to focus on other cyber crime, like ransomware.”

Fending off Samas

Ransomware is not going away, and using a “layered approach” of computer defenses is the best way to protect yourself, Cisco’s Talos threat intelligence organization said in an advisory.

“However, one of the most effective ways to protect yourself is by simply backing up valuable files,” the advisory said. “Victims often find that at the moment when backups are most needed, they are either non-existent or incomplete. These lapses provide the revenue stream that is currently fueling the development of ransomware.

Microsoft researchers recommended that organizations use two-factor authentication with Microsoft Passport and Windows Hello, make sure a strong password policy is being followed, disable the loading of macros in Office programs, and keep software up-to-date.

This will help you say “no mas” to Samas ransomware, said Marianne Mallen with Microsoft.