The most recent version of the SamSam ransomware has been observed deploying company-wide attacks using a variety of exploits targeting specific organizations. How does this differ from past SamSam ransomware attacks? What can enterprises do to mitigate this type of attack?
Malicious actors behind ransomware attacks have been giving increased attention to their victims' incident response planning, business continuity and disaster recovery planning. The attackers are starting by targeting individual systems, then file shares, servers, databases and now multiple computers on the same network, thus impacting an entire organization.
Attackers continue to use unpatched vulnerabilities to acquire system access to a targeted system, which they then inject with ransomware -- and the SamSam malware authors continue to develop new ways to monetize access to systems.
Sophos recently published a whitepaper on how malicious developers continue to add new functionality to SamSam ransomware so that it can be used in targeted attacks.
The current SamSam ransomware's basic functionality is deployed in targeted attacks and uses batch files to automate attacks, but recent updates to SamSam have enabled victims to pay to recover data for individual systems and make the attack more modular.
The developers of the SamSam ransomware moved the functionality for decrypting the attack payload to an external DLL requiring a password, making it easier to modify the functionality, avoid detection and adapt to different situations. Requiring a password to execute the SamSam decryptor could make analysis more difficult.
Sophos also released indicators of compromise for the updated SamSam ransomware samples and the decryptor module. Enterprises can mitigate this attack -- starting with basic security controls -- to prevent ransomware using the indicators of compromise from Sophos.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Platform security
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.