Fotolia

Q
Manage Learn to apply best practices and optimize your operations.

SamSam ransomware: How is this version different from others?

Sophos recently discovered a SamSam extortion code that performs company-wide attacks using a range of vulnerability exploits. Discover how this version differs from past variants.

The most recent version of the SamSam ransomware has been observed deploying company-wide attacks using a variety of exploits targeting specific organizations. How does this differ from past SamSam ransomware attacks? What can enterprises do to mitigate this type of attack?

Malicious actors behind ransomware attacks have been giving increased attention to their victims' incident response planning, business continuity and disaster recovery planning. The attackers are starting by targeting individual systems, then file shares, servers, databases and now multiple computers on the same network, thus impacting an entire organization.

Attackers continue to use unpatched vulnerabilities to acquire system access to a targeted system, which they then inject with ransomware -- and the SamSam malware authors continue to develop new ways to monetize access to systems.

Sophos recently published a whitepaper on how malicious developers continue to add new functionality to SamSam ransomware so that it can be used in targeted attacks.

The current SamSam ransomware's basic functionality is deployed in targeted attacks and uses batch files to automate attacks, but recent updates to SamSam have enabled victims to pay to recover data for individual systems and make the attack more modular.

The developers of the SamSam ransomware moved the functionality for decrypting the attack payload to an external DLL requiring a password, making it easier to modify the functionality, avoid detection and adapt to different situations. Requiring a password to execute the SamSam decryptor could make analysis more difficult.

Sophos also released indicators of compromise for the updated SamSam ransomware samples and the decryptor module. Enterprises can mitigate this attack -- starting with basic security controls -- to prevent ransomware using the indicators of compromise from Sophos.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in October 2018

Dig Deeper on Platform security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Has your organization been targeted by multiple vulnerability exploits? If so, how was the issue resolved?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close