The most recent version of the SamSam ransomware has been observed deploying company-wide attacks using a variety of exploits targeting specific organizations. How does this differ from past SamSam ransomware attacks? What can enterprises do to mitigate this type of attack?
Malicious actors behind ransomware attacks have been giving increased attention to their victims' incident response planning, business continuity and disaster recovery planning. The attackers are starting by targeting individual systems, then file shares, servers, databases and now multiple computers on the same network, thus impacting an entire organization.
Attackers continue to use unpatched vulnerabilities to acquire system access to a targeted system, which they then inject with ransomware -- and the SamSam malware authors continue to develop new ways to monetize access to systems.
Sophos recently published a whitepaper on how malicious developers continue to add new functionality to SamSam ransomware so that it can be used in targeted attacks.
The current SamSam ransomware's basic functionality is deployed in targeted attacks and uses batch files to automate attacks, but recent updates to SamSam have enabled victims to pay to recover data for individual systems and make the attack more modular.
The developers of the SamSam ransomware moved the functionality for decrypting the attack payload to an external DLL requiring a password, making it easier to modify the functionality, avoid detection and adapt to different situations. Requiring a password to execute the SamSam decryptor could make analysis more difficult.
Sophos also released indicators of compromise for the updated SamSam ransomware samples and the decryptor module. Enterprises can mitigate this attack -- starting with basic security controls -- to prevent ransomware using the indicators of compromise from Sophos.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Dig Deeper on Platform security
Related Q&A from Nick Lewis
Enterprises have many options for email security best practices, ranging from deploying email security protocols to educating end users on the ... Continue Reading
Cyberattacks often begin with a port scan attack, which attackers use to find exploitable vulnerabilities on targeted systems. Learn how they work ... Continue Reading
Monitoring process memory is one way to combat fileless malware attacks. Here's what you can do to protect your network against these campaigns. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.