Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
977
Views
0
Helpful
0
Comments

Coverage for SamSam / MSIL / Samas ransomware

fohinkle
Community Member

‎03-23-2016 02:38 PM - edited ‎03-08-2019 06:59 PM

Background: This is a new ransomware attack technique that does not use a phishing e-mail or malvertising as the vector of attack. Instead, the bad actors exploit a known vulnerability in JBoss in the customer’s environment. The compromised server is used to analyze the customer’s network, and as a distribution point for tools to vulnerable endpoints in the network. Ransomware is distributed to the endpoints, files are encrypted and the user is provided with instructions on how to purchase a key that will decrypt their files.

 

FirePOWER: existing SIDs 18794, 24642, 21516, 24342, 24343, 21517, and 29909, as well as new SIDs 38279, 38280, and 38304 detect activities related to this ransomware

 

FireAMP: hashes that will block the binary files on the network or the endpoint have been added

 

ClamAV: signatures with the name Win.Ransomware.Samas-* will detect the malware on endpoints

 

 

A Talos blog with more detailed information has been published at http://blog.talosintel.com/2016/03/samsam-ransomware.html

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents