Check Point Threat Alert: SamSam and Maktub Ransomware Evolution
ByGil Sasson, Check Point Threat Intelligence and Research
Executive Summary
New and evolving ransomware campaigns, dubbed ‘SamSam’ and ‘Maktub’, use techniques not commonly observed in previously known ransomware. SamSam spreads by targeting and infecting servers that contain unpatched vulnerabilities. Maktub and Samsam do not communicate with a C&C server to encrypt files on an infected computer. SamSam’s primary target is the healthcare industry.
Description
- SamSam ransomware has an unusual infection method. Instead of spreading by spam/phishing emails, it scans for vulnerable servers with unpatched software.
- Unlike other ransomware campaigns, there is no need for any user action such as clicking on a certain link or opening a malicious attachment for the infection to take place. The attackers can trigger the ransomware remotely once it has found vulnerability in the server and penetrated the network.
- Once a network has been breached, the ransomware spreads through the local network to infect additional computers.
- Maktub not only encrypts files but also compresses them, most likely to speed up the encryption process.
- SamSam and Maktub are both independently acting ransomware, meaning that once they are installed on a system, they encrypt the files without any need to communicate with a C&C server.
- While this “offline encryption” is rare among ransomware, Check Point researchers published this research blog about another family of offline ransomware last November.
Check Point Protections
- Check Point IPS blade includes various protections for the JBoss platform whose exploitation was observed in the SamSam campaign. In addition, the following protection blocks the Maktub malicious mail attachments: Suspicious Executable Mail Attachment
- Check Point Anti-Virus & SandBlast include relevant Samsam and Maktub indicators for known malicious domains and related files, and includes these Anti-Virus protections:
- Ransomware.Win32.Samsam.*
- Ransomware.Win32.Maktub.*
Additional Technical References
You may also like
Navigating the Evolving Threat Landscape Ahead of Black Friday
As Thanksgiving and Black Friday approach, so do the risks ...
Spotlight on Iranian Cyber Group Emennet Pasargad’s Malware
Executive Summary On October 21, 2024, multiple emails impersonating the ...
Hamas-linked Threat Group Expands Espionage and Destructive Operations
Check Point Research has been monitoring the ongoing activities of ...
October 2024’s Most Wanted Malware: Infostealers Surge as Cyber Criminals Leverage Innovative Attack Vectors
Check Point Software’s latest threat index reveals a significant rise ...