Check Point Threat Alert: SamSam and Maktub Ransomware Evolution
ByGil Sasson, Check Point Threat Intelligence and Research
Executive Summary
New and evolving ransomware campaigns, dubbed ‘SamSam’ and ‘Maktub’, use techniques not commonly observed in previously known ransomware. SamSam spreads by targeting and infecting servers that contain unpatched vulnerabilities. Maktub and Samsam do not communicate with a C&C server to encrypt files on an infected computer. SamSam’s primary target is the healthcare industry.
Description
- SamSam ransomware has an unusual infection method. Instead of spreading by spam/phishing emails, it scans for vulnerable servers with unpatched software.
- Unlike other ransomware campaigns, there is no need for any user action such as clicking on a certain link or opening a malicious attachment for the infection to take place. The attackers can trigger the ransomware remotely once it has found vulnerability in the server and penetrated the network.
- Once a network has been breached, the ransomware spreads through the local network to infect additional computers.
- Maktub not only encrypts files but also compresses them, most likely to speed up the encryption process.
- SamSam and Maktub are both independently acting ransomware, meaning that once they are installed on a system, they encrypt the files without any need to communicate with a C&C server.
- While this “offline encryption” is rare among ransomware, Check Point researchers published this research blog about another family of offline ransomware last November.
Check Point Protections
- Check Point IPS blade includes various protections for the JBoss platform whose exploitation was observed in the SamSam campaign. In addition, the following protection blocks the Maktub malicious mail attachments: Suspicious Executable Mail Attachment
- Check Point Anti-Virus & SandBlast include relevant Samsam and Maktub indicators for known malicious domains and related files, and includes these Anti-Virus protections:
- Ransomware.Win32.Samsam.*
- Ransomware.Win32.Maktub.*
Additional Technical References
You may also like
Shifting Attack Landscapes and Sectors in Q1 2024 with a 28% increase in cyber attacks globally
Recurring increase in cyber attacks: Q1 2024 saw a marked ...
Not So Private After All: How Dating Apps Can Reveal Your Exact Location
Check Point Research (CPR) recently analyzed several popular dating applications ...
Agent Tesla Targeting United States & Australia: Revealing the Attackers’ Identities
Highlights Check Point Research (CPR) uncovered three recent malicious campaigns ...
Beyond Imagining – How AI is actively used in election campaigns around the world
Key Findings AI is already extensively utilized in election campaigns ...