March 21, 2016 By Douglas Bonderud 2 min read

Companies are beefing up malware defenses and putting security pros on alert to corral new strains of infectious code. Cybercriminals, meanwhile, are changing their approach to leverage targeted rather than broad-stroke attacks.

According to SecurityWeek, a new ransomware called Samas has been spotted in the wild — and it’s using pen testing tools to seek out easily compromised systems and deliver a malware payload.

Piling on Ransomware

Samas was first noticed last quarter. Researchers from the Microsoft Malware Protection Center (MMPC) discovered not only infected systems, but also additional tools downloaded during deployment. Backtracking its infection vector, the team found Samas using a pen testing/attack server to uncover potentially vulnerable networks.

Once identified, a tunneling tool called reGeorg punched through existing protection while Java-based vulnerabilities, such as outdated JBOSS apps and an unsafe Java Native Interface (JNI), were used to compromise victim PCs. Combined with information-stealing malware, attackers had everything they needed to collect login credentials and install their particular brand of ransomware on targeted systems.

It’s worth noting that when Samas first began encrypting user files, it used a WordPress site for decryption services. As public attention ramped up, it moved to a Tor server in hopes of staying under the radar. While existing anti-malware tools should catch this compromised pen tester before it causes problems, companies should investigate further if they’re targeted because it may be an indicator that more serious network vulnerabilities exist.

Patching Up

Malware-makers are also adopting other tactics used by security professionals to help advance their cause. As Security Intelligence noted last week, for example, the makers of TeslaCrypt have started patching their ransomware deployments. The result? Right now, its version 3.0.1 has no white-hat fix, meaning victims need to either pay the ransom or restore all data from a backup device. According to Cisco researchers, while the old version came with a weakness in encryption key storage, the new version has no such problem, making it a tough nut to crack.

So what’s the takeaway from new ransomware variants like Samas and TeslaCrypt 3.0.1? As experts gaze into the malware abyss, it gazes right back. Cybercriminals are now quick to exploit tools such as pen testing or best practices like patching software if it means lower failure rates and bigger payouts. Simply put, this is an arms race; bigger swords and better pens are both needed in this war on ransomware.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today