SambaCry exposes devices to vicious threats like Storagecrypt Ransomware

SambaCry appears to be a vulnerability that can affect an open-source software called Samba. The name Samba derives from Server Message Block or SMB in short; it is the name of a particular standard protocol necessary for the Windows network file system. Not so long ago researchers discovered this protocol’s vulnerability (ETERNALBLUE), and it was quickly exploited by cyber criminals who decided to use it for spreading their created malicious file-encrypting program known as WannaCry ransomware. Unfortunately, while Microsoft has released an update to patch the SambaCry vulnerability, it remained on Samba software for some time, and some cyber criminals found ways to exploit it too. Further, in the article, we will provide our readers with more details, so if you want to know more about this exploit, we encourage you to keep reading this article.

1_image

Samba can run on Unix, Linux, and a few more other systems. It is widely used to be able to work with Microsoft file and print services. Also, it both allows users to connect to Windows servers and acts as a server that can accept connections from Windows clients itself. According to computer security specialists, the vulnerability can affect all versions of the mentioned software released in the last seven years. It is believed the information that allowed to discover it was leaked together with the details about the ETERNALBLUE vulnerability; it is just it took some time before cyber criminals began exploiting it.

SambaCry is also known as EternalRed or CVE-2017-7494. The vulnerability may allow attackers open a command shell and use it to download various data or even execute commands on the targeted computer. One of the first reports talking about a threat actually using SambaCry showed up back in June 2017. Unlike the WannaCry ransomware exploiting ETERNALBLUE, the discovered malware was not a file-encrypting malicious application. It appeared to be a cryptocurrency miner; such software uses resources of the attacked devices to generate money for its creators by mining digital currencies like Bitcoin, Monero, and so on. One other thing the researchers who discovered it noticed was that the threat might have the ability to infect the attacked device with other malicious programs.

2_image

Furthermore, besides the mentioned cryptocurrency miner, with time there appeared other dangerous programs targeting devices with the SambaCry vulnerability. For instance, at the beginning of December 2017; computer security specialists learned about a file-encrypting malicious application called Storagecrypt Ransomware that targets network-attached storage or in other words NAS devices. This threat can attack any computer if it runs the Samba version with the vulnerability in question. Apparently, by exploiting it, the malware can place its malicious data on the targeted device and launch it remotely. Once it is done the storage should become infected, and the encryption process begins. During which, Storagecrypt Ransomware might lock all files located on the attacked NAS device with a secure encryption algorithm.

As a result, all encrypted data gains an additional .locked extension, and the user can no longer open it. The reports say Storagecrypt Ransomware leaves a ransom note demanding for ransom, which could be from 0.4 to 2 Bitcoins. Of course, for those of you who already encountered such a malicious program, we would advise being cautious. Even if the malware’s developers promise to deliver decryption tools or decipher locked data, there are no guarantees they will actually do so. In other words, by complying with their demands, the user would be gambling with his money. Therefore, one could only hope he will not come across such a malicious program. On the other hand instead of hoping it would be much smarter to get rid of the SambaCry vulnerability and so stop the potential threats that could try to exploit it.

3_image1

The official Samba website claims the software’s developers have released 4.6.4, 4.5.10 and 4.4.14 security releases that eliminate the vulnerability. It also tells users the patches can be found on samba.org/samba/patches and informs all “Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible.” Once the software gets updated, the vulnerability should disappear, which means your device could no longer be attacked by any threat exploiting devices via SambaCry.

References:

  1. Samba (software). Wikipedia.
  2. Paul Ducklin. Samba exploit - not quite WannaCry for Linux, but patch anyway! Naked Security by SOPHOS.
  3. Mikhail Kuzin, Yaroslav Shmelev, Dmitry Galov. SambaCry is coming. Securelist.
  4. Ionut Arghire. StorageCrypt Ransomware Targets NAS Devices via SambaCry Exploit. Security Week.
  5. CVE-2017-7494. Samba.