Mightier Than the Sword? Pen Testing Tools Used as Ransomware Delivery Device

March 21, 2016 @ 10:20 AM
| |
2 min read

Companies are beefing up malware defenses and putting security pros on alert to corral new strains of infectious code. Cybercriminals, meanwhile, are changing their approach to leverage targeted rather than broad-stroke attacks.

According to SecurityWeek, a new ransomware called Samas has been spotted in the wild — and it’s using pen testing tools to seek out easily compromised systems and deliver a malware payload.

Piling on Ransomware

Samas was first noticed last quarter. Researchers from the Microsoft Malware Protection Center (MMPC) discovered not only infected systems, but also additional tools downloaded during deployment. Backtracking its infection vector, the team found Samas using a pen testing/attack server to uncover potentially vulnerable networks.

Once identified, a tunneling tool called reGeorg punched through existing protection while Java-based vulnerabilities, such as outdated JBOSS apps and an unsafe Java Native Interface (JNI), were used to compromise victim PCs. Combined with information-stealing malware, attackers had everything they needed to collect login credentials and install their particular brand of ransomware on targeted systems.

It’s worth noting that when Samas first began encrypting user files, it used a WordPress site for decryption services. As public attention ramped up, it moved to a Tor server in hopes of staying under the radar. While existing anti-malware tools should catch this compromised pen tester before it causes problems, companies should investigate further if they’re targeted because it may be an indicator that more serious network vulnerabilities exist.

Patching Up

Malware-makers are also adopting other tactics used by security professionals to help advance their cause. As Security Intelligence noted last week, for example, the makers of TeslaCrypt have started patching their ransomware deployments. The result? Right now, its version 3.0.1 has no white-hat fix, meaning victims need to either pay the ransom or restore all data from a backup device. According to Cisco researchers, while the old version came with a weakness in encryption key storage, the new version has no such problem, making it a tough nut to crack.

So what’s the takeaway from new ransomware variants like Samas and TeslaCrypt 3.0.1? As experts gaze into the malware abyss, it gazes right back. Cybercriminals are now quick to exploit tools such as pen testing or best practices like patching software if it means lower failure rates and bigger payouts. Simply put, this is an arms race; bigger swords and better pens are both needed in this war on ransomware.

Douglas Bonderud
Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and innovation. In addition to working for...
read more