Check Point Threat Alert: SamSam and Maktub Ransomware Evolution
ByGil Sasson, Check Point Threat Intelligence and Research
Executive Summary
New and evolving ransomware campaigns, dubbed ‘SamSam’ and ‘Maktub’, use techniques not commonly observed in previously known ransomware. SamSam spreads by targeting and infecting servers that contain unpatched vulnerabilities. Maktub and Samsam do not communicate with a C&C server to encrypt files on an infected computer. SamSam’s primary target is the healthcare industry.
Description
- SamSam ransomware has an unusual infection method. Instead of spreading by spam/phishing emails, it scans for vulnerable servers with unpatched software.
- Unlike other ransomware campaigns, there is no need for any user action such as clicking on a certain link or opening a malicious attachment for the infection to take place. The attackers can trigger the ransomware remotely once it has found vulnerability in the server and penetrated the network.
- Once a network has been breached, the ransomware spreads through the local network to infect additional computers.
- Maktub not only encrypts files but also compresses them, most likely to speed up the encryption process.
- SamSam and Maktub are both independently acting ransomware, meaning that once they are installed on a system, they encrypt the files without any need to communicate with a C&C server.
- While this “offline encryption” is rare among ransomware, Check Point researchers published this research blog about another family of offline ransomware last November.
Check Point Protections
- Check Point IPS blade includes various protections for the JBoss platform whose exploitation was observed in the SamSam campaign. In addition, the following protection blocks the Maktub malicious mail attachments: Suspicious Executable Mail Attachment
- Check Point Anti-Virus & SandBlast include relevant Samsam and Maktub indicators for known malicious domains and related files, and includes these Anti-Virus protections:
- Ransomware.Win32.Samsam.*
- Ransomware.Win32.Maktub.*
Additional Technical References
You may also like
6 Cyber Security Challenges Emerge from World Economic Forum, Check Point Research on 2025 Threats
As we step into 2025, the cyber security landscape continues ...
FunkSec: The Rising Yet Controversial Ransomware Threat Actor Dominating December 2024
As 2024 ended, a new name surged to the top ...
5 Key Cyber Security Trends for 2025
As the digital world continues to evolve, threats to organizations ...
Meet FunkSec: A New, Surprising Ransomware Group, Powered by AI
Executive Summary: The FunkSec ransomware group emerged in late 2024 ...