March 21, 2016 By Douglas Bonderud 2 min read

Companies are beefing up malware defenses and putting security pros on alert to corral new strains of infectious code. Cybercriminals, meanwhile, are changing their approach to leverage targeted rather than broad-stroke attacks.

According to SecurityWeek, a new ransomware called Samas has been spotted in the wild — and it’s using pen testing tools to seek out easily compromised systems and deliver a malware payload.

Piling on Ransomware

Samas was first noticed last quarter. Researchers from the Microsoft Malware Protection Center (MMPC) discovered not only infected systems, but also additional tools downloaded during deployment. Backtracking its infection vector, the team found Samas using a pen testing/attack server to uncover potentially vulnerable networks.

Once identified, a tunneling tool called reGeorg punched through existing protection while Java-based vulnerabilities, such as outdated JBOSS apps and an unsafe Java Native Interface (JNI), were used to compromise victim PCs. Combined with information-stealing malware, attackers had everything they needed to collect login credentials and install their particular brand of ransomware on targeted systems.

It’s worth noting that when Samas first began encrypting user files, it used a WordPress site for decryption services. As public attention ramped up, it moved to a Tor server in hopes of staying under the radar. While existing anti-malware tools should catch this compromised pen tester before it causes problems, companies should investigate further if they’re targeted because it may be an indicator that more serious network vulnerabilities exist.

Patching Up

Malware-makers are also adopting other tactics used by security professionals to help advance their cause. As Security Intelligence noted last week, for example, the makers of TeslaCrypt have started patching their ransomware deployments. The result? Right now, its version 3.0.1 has no white-hat fix, meaning victims need to either pay the ransom or restore all data from a backup device. According to Cisco researchers, while the old version came with a weakness in encryption key storage, the new version has no such problem, making it a tough nut to crack.

So what’s the takeaway from new ransomware variants like Samas and TeslaCrypt 3.0.1? As experts gaze into the malware abyss, it gazes right back. Cybercriminals are now quick to exploit tools such as pen testing or best practices like patching software if it means lower failure rates and bigger payouts. Simply put, this is an arms race; bigger swords and better pens are both needed in this war on ransomware.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today