Executive Summary
New and evolving ransomware campaigns, dubbed ‘SamSam’ and ‘Maktub’, use techniques not commonly observed in previously known ransomware. SamSam spreads by targeting and infecting servers that contain unpatched vulnerabilities. Maktub and Samsam do not communicate with a C&C server to encrypt files on an infected computer. SamSam’s primary target is the healthcare industry.
Description
- SamSam ransomware has an unusual infection method. Instead of spreading by spam/phishing emails, it scans for vulnerable servers with unpatched software.
- Unlike other ransomware campaigns, there is no need for any user action such as clicking on a certain link or opening a malicious attachment for the infection to take place. The attackers can trigger the ransomware remotely once it has found vulnerability in the server and penetrated the network.
- Once a network has been breached, the ransomware spreads through the local network to infect additional computers.
- Maktub not only encrypts files but also compresses them, most likely to speed up the encryption process.
- SamSam and Maktub are both independently acting ransomware, meaning that once they are installed on a system, they encrypt the files without any need to communicate with a C&C server.
- While this “offline encryption” is rare among ransomware, Check Point researchers published this research blog about another family of offline ransomware last November.
Check Point Protections
- Check Point IPS blade includes various protections for the JBoss platform whose exploitation was observed in the SamSam campaign. In addition, the following protection blocks the Maktub malicious mail attachments: Suspicious Executable Mail Attachment
- Check Point Anti-Virus & SandBlast include relevant Samsam and Maktub indicators for known malicious domains and related files, and includes these Anti-Virus protections:
- Ransomware.Win32.Samsam.*
- Ransomware.Win32.Maktub.*
Figure 1 – Samsam’s ransom message
Figure 2 – Maktub’s ransom message