March 21, 2016 By Douglas Bonderud 2 min read

Companies are beefing up malware defenses and putting security pros on alert to corral new strains of infectious code. Cybercriminals, meanwhile, are changing their approach to leverage targeted rather than broad-stroke attacks.

According to SecurityWeek, a new ransomware called Samas has been spotted in the wild — and it’s using pen testing tools to seek out easily compromised systems and deliver a malware payload.

Piling on Ransomware

Samas was first noticed last quarter. Researchers from the Microsoft Malware Protection Center (MMPC) discovered not only infected systems, but also additional tools downloaded during deployment. Backtracking its infection vector, the team found Samas using a pen testing/attack server to uncover potentially vulnerable networks.

Once identified, a tunneling tool called reGeorg punched through existing protection while Java-based vulnerabilities, such as outdated JBOSS apps and an unsafe Java Native Interface (JNI), were used to compromise victim PCs. Combined with information-stealing malware, attackers had everything they needed to collect login credentials and install their particular brand of ransomware on targeted systems.

It’s worth noting that when Samas first began encrypting user files, it used a WordPress site for decryption services. As public attention ramped up, it moved to a Tor server in hopes of staying under the radar. While existing anti-malware tools should catch this compromised pen tester before it causes problems, companies should investigate further if they’re targeted because it may be an indicator that more serious network vulnerabilities exist.

Patching Up

Malware-makers are also adopting other tactics used by security professionals to help advance their cause. As Security Intelligence noted last week, for example, the makers of TeslaCrypt have started patching their ransomware deployments. The result? Right now, its version 3.0.1 has no white-hat fix, meaning victims need to either pay the ransom or restore all data from a backup device. According to Cisco researchers, while the old version came with a weakness in encryption key storage, the new version has no such problem, making it a tough nut to crack.

So what’s the takeaway from new ransomware variants like Samas and TeslaCrypt 3.0.1? As experts gaze into the malware abyss, it gazes right back. Cybercriminals are now quick to exploit tools such as pen testing or best practices like patching software if it means lower failure rates and bigger payouts. Simply put, this is an arms race; bigger swords and better pens are both needed in this war on ransomware.

More from

When ransomware kills: Attacks on healthcare facilities

4 min read - As ransomware attacks continue to escalate, their toll is often measured in data loss and financial strain. But what about the loss of human life? Nowhere is the ransomware threat more acute than in the healthcare sector, where patients’ lives are literally on the line.Since 2015, there has been a staggering increase in ransomware attacks on healthcare facilities. And the impacts are severe: Diverted emergency services, delayed critical treatments and even fatalities. Meanwhile, the pledge some ransomware groups made during…

AI and cloud vulnerabilities aren’t the only threats facing CISOs today

6 min read - With cloud infrastructure and, more recently, artificial intelligence (AI) systems becoming prime targets for attackers, security leaders are laser-focused on defending these high-profile areas. They’re right to do so, too, as cyber criminals turn to new and emerging technologies to launch and scale ever more sophisticated attacks.However, this heightened attention to emerging threats makes it easy to overlook traditional attack vectors, such as human-driven social engineering and vulnerabilities in physical security.As adversaries exploit an ever-wider range of potential entry points…

4 trends in software supply chain security

4 min read - Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and customers whose sensitive information was compromised.Expect to see more software supply chain attacks moving forward. According to ReversingLabs' The State of Software Supply Chain Security 2024 study, attacks against the software…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today