Light Dark
March 21, 2016 By Douglas Bonderud 2 min read

Companies are beefing up malware defenses and putting security pros on alert to corral new strains of infectious code. Cybercriminals, meanwhile, are changing their approach to leverage targeted rather than broad-stroke attacks.

According to SecurityWeek, a new ransomware called Samas has been spotted in the wild — and it’s using pen testing tools to seek out easily compromised systems and deliver a malware payload.

Piling on Ransomware

Samas was first noticed last quarter. Researchers from the Microsoft Malware Protection Center (MMPC) discovered not only infected systems, but also additional tools downloaded during deployment. Backtracking its infection vector, the team found Samas using a pen testing/attack server to uncover potentially vulnerable networks.

Once identified, a tunneling tool called reGeorg punched through existing protection while Java-based vulnerabilities, such as outdated JBOSS apps and an unsafe Java Native Interface (JNI), were used to compromise victim PCs. Combined with information-stealing malware, attackers had everything they needed to collect login credentials and install their particular brand of ransomware on targeted systems.

It’s worth noting that when Samas first began encrypting user files, it used a WordPress site for decryption services. As public attention ramped up, it moved to a Tor server in hopes of staying under the radar. While existing anti-malware tools should catch this compromised pen tester before it causes problems, companies should investigate further if they’re targeted because it may be an indicator that more serious network vulnerabilities exist.

Patching Up

Malware-makers are also adopting other tactics used by security professionals to help advance their cause. As Security Intelligence noted last week, for example, the makers of TeslaCrypt have started patching their ransomware deployments. The result? Right now, its version 3.0.1 has no white-hat fix, meaning victims need to either pay the ransom or restore all data from a backup device. According to Cisco researchers, while the old version came with a weakness in encryption key storage, the new version has no such problem, making it a tough nut to crack.

So what’s the takeaway from new ransomware variants like Samas and TeslaCrypt 3.0.1? As experts gaze into the malware abyss, it gazes right back. Cybercriminals are now quick to exploit tools such as pen testing or best practices like patching software if it means lower failure rates and bigger payouts. Simply put, this is an arms race; bigger swords and better pens are both needed in this war on ransomware.

 |  |  | 
Douglas Bonderud
Freelance Writer

More from

November 22, 2024

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

November 20, 2024

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature