Background: This is a new ransomware attack technique that does not use a phishing e-mail or malvertising as the vector of attack. Instead, the bad actors exploit a known vulnerability in JBoss in the customer’s environment. The compromised server is used to analyze the customer’s network, and as a distribution point for tools to vulnerable endpoints in the network. Ransomware is distributed to the endpoints, files are encrypted and the user is provided with instructions on how to purchase a key that will decrypt their files.
FirePOWER: existing SIDs 18794, 24642, 21516, 24342, 24343, 21517, and 29909, as well as new SIDs 38279, 38280, and 38304 detect activities related to this ransomware
FireAMP: hashes that will block the binary files on the network or the endpoint have been added
ClamAV: signatures with the name Win.Ransomware.Samas-* will detect the malware on endpoints
A Talos blog with more detailed information has been published at http://blog.talosintel.com/2016/03/samsam-ransomware.html