Home / malware Ransom:MSIL/SamSam.D
First posted on 26 January 2018.
Source: MicrosoftAliases :
There are no other names known for Ransom:MSIL/SamSam.D.
Explanation :
Installation
This ransomware manually deploys after the attackers have gained access to your compromised PC.
The threat has two components, an encrypted payload and a runner. The runner can load the main payload, decrypt it in memory using the password provided as argument, and launch it. When launched, the runner will look for the payload to load. Some versions take the location of the payload as argument. Other versions look for a file with extension .stubbin to be present in current working directory. Upon lanching the main payload, it also forwards the second parameter to the main payload. The parameter is used by the main payload to load the RSA used for encryption process. Both the payload and the key are deleted at the end of the encryption. Before encrypting anything it creates a file under "%ProgramData%\greenwin\startinfo.bat" and runs it. The script checks every 5 seconds if the process is still running. If it isn't running, it deletes the executable file.
Payload
Encrypts and renames files
It encrypts files with these extensions:
.3dm .dtd .otp .tlg .3ds .dwg .ots .txt .3fr .dxb .ott .vb .3g2 .dxf .p12 .vob .3gp .dxg .p7b .wallet .3pr .eml .p7c .war .7z .eps .pab .wav .ab4 .erbsql .pages .wb2 .accdb .erf .pas .wmv .accde .exf .pat .wpd .accdr .fdb .pbl .wps .accdt .ffd .pbl .x11 .ach .fff .pcd .x3f .acr .fh .pct .xis .act .fhd .pdb .xla .adb .fla .pdd .xlam .ads .flac .pdf .xlk .agdl .flv .pef .xlm .ai .fmb .pem .xlr .ait .fpx .pfx .xls .al .fxg .php .xlsb .apj .gray .php5 .xlsm .arw .grey .phtml .xlsx .asf .gry .pl .xlt .asm .h .plc .xltm .asmx .hbk .png .xltx .asp .hpp .pot .xlw .aspx .htm .potm .xml .asx .html .potx .ycbcra .avi .ibank .ppam .yuv .awg .ibd .pps .zip .back .ibz .ppsm .backup .idx .ppsx .backupdb .iif .ppt .bak .iiq .pptm .bank .incpas .pptx .bay .indd .prf .bdb .jar .ps .bgt .java .psafe3 .bik .jpe .psd .bkf .jpeg .pspimage .bkp .jpg .pst .blend .jsp .ptx .bpw .kbx .py .c .kc2 .qba .cdf .kdbx .qbb .cdr .kdc .qbm .cdr3 .key .qbr .cdr4 .kpdx .qbw .cdr5 .lua .qbx .cdr6 .m .qby .cdrw .m4v .r3d .cdx .max .raf .ce1 .mdb .rar .ce2 .mdc .rat .cer .mdf .raw .cfp .mef .rdb .cgm .mfw .rm .cib .mmw .rtf .class .moneywell .rw2 .cls .mos .rwl .cmt .mov .rwz .config .mp3 .s3db .cpi .mp4 .sas7bdat .cpp .mpg .say .cr2 .mrw .sd0 .craw .msg .sda .crt .myd .sdf .crw .nd .sldm .cs .ndd .sldx .csh .nef .sql .csl .nk2 .sqlite .csv .nop .sqlite3 .dac .nrw .sqlitedb .db .ns2 .sr2 .db-journal .ns3 .srf .db3 .ns4 .srt .dbf .nsd .srw .dbx .nsf .st4 .dc2 .nsg .st5 .dcr .nsh .st6 .dcs .nwb .st7 .ddd .nx2 .st8 .ddoc .nxl .std .ddrw .nyf .sti .dds .oab .stw .der .obj .stx .des .odb .svg .design .odc .swf .dgc .odf .sxc .djvu .odg .sxd .dng .odm .sxg .doc .odp .sxi .docm .ods .sxm .docx .odt .sxw .dot .oil .tex .dotm .orf .tga .dotx .ost .thm .drf .otg .tib .drw .oth .tif
The encrypted files are renamed with:
This threat also stops all SQL processes running to ensure the databases are also encrypted. The files are also indexed first, and then encrypted based on file size and not directory path.
- .mention9823
- .disposed2017
- .suppose666
- .breeding123
It also avoids encrypting the following system-critical files on system root drive:
Drops ransom note
- /windows
- /winnt
- /reference assemblies\microsoft
- /recycle.bin
- /users\all users
- /documents and settings\all users
- /boot
- /users\default
This threat drops a ransom note as an HTML file in all of the affected directories and on the your desktop, with file names such as:Sample ransom note: The ransom note instructs you to acquire bitcoin and how to navigate to a .onion website where you recover your files.
- READ-FOR-DECCCC-FILESSS.html
- PLEASE-README-HOWTO-RECOVERY.html
We have seen the following .onion addresses in this context:
The launcher has been seen with different names:
- http://sqnhh67wiujb3q6x.onion/{uniqueid}
- http://fxn5ao5mmaktpsug.onion/{uniqueid}
- endeavor2.exe
- followed2.exe
- jiarons2.exe
- msvcsexec.exe
- norland2.exe
- r2.exe
- reprotin2.exe
- rn2.exe
- rn2l.exe
- rony2.exe
Related information
- Ransom:MSIL/Samas
- No mas, Samas: What's in this ransomware's modus operandi?
- A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017
Last update 26 January 2018