Check Point Threat Alert: SamSam and Maktub Ransomware Evolution
ByGil Sasson, Check Point Threat Intelligence and Research
Executive Summary
New and evolving ransomware campaigns, dubbed ‘SamSam’ and ‘Maktub’, use techniques not commonly observed in previously known ransomware. SamSam spreads by targeting and infecting servers that contain unpatched vulnerabilities. Maktub and Samsam do not communicate with a C&C server to encrypt files on an infected computer. SamSam’s primary target is the healthcare industry.
Description
- SamSam ransomware has an unusual infection method. Instead of spreading by spam/phishing emails, it scans for vulnerable servers with unpatched software.
- Unlike other ransomware campaigns, there is no need for any user action such as clicking on a certain link or opening a malicious attachment for the infection to take place. The attackers can trigger the ransomware remotely once it has found vulnerability in the server and penetrated the network.
- Once a network has been breached, the ransomware spreads through the local network to infect additional computers.
- Maktub not only encrypts files but also compresses them, most likely to speed up the encryption process.
- SamSam and Maktub are both independently acting ransomware, meaning that once they are installed on a system, they encrypt the files without any need to communicate with a C&C server.
- While this “offline encryption” is rare among ransomware, Check Point researchers published this research blog about another family of offline ransomware last November.
Check Point Protections
- Check Point IPS blade includes various protections for the JBoss platform whose exploitation was observed in the SamSam campaign. In addition, the following protection blocks the Maktub malicious mail attachments: Suspicious Executable Mail Attachment
- Check Point Anti-Virus & SandBlast include relevant Samsam and Maktub indicators for known malicious domains and related files, and includes these Anti-Virus protections:
- Ransomware.Win32.Samsam.*
- Ransomware.Win32.Maktub.*
Additional Technical References
You may also like
The Hidden Risks Within Ethereum’s CREATE2 Function: A Guide to Navigating Blockchain Security
By Oded Vanunu, Dikla Barda, Roman Zaikin The digital age ...
February 2024’s Most Wanted Malware: WordPress Websites Targeted by Fresh FakeUpdates Campaign
Researchers uncovered a new campaign with FakeUpdates, also known as ...
Check Point Research Alerts: Financially Motivated Magnet Goblin Group Exploits 1-Day Vulnerabilities to target Publicly Facing Servers
Key Highlights: – Rapid Exploitation of 1-Day Vulnerabilities: Threat actor ...
A Shadowed Menace : The Escalation of Web API Cyber Attacks in 2024
Highlights: Significant Increase in Attacks: In the first month of 2024, ...