SamSam ransomware: How is this version different from others?

Sophos recently discovered a SamSam extortion code that performs company-wide attacks using a range of vulnerability exploits. Discover how this version differs from past variants.

The most recent version of the SamSam ransomware has been observed deploying company-wide attacks using a variety of exploits targeting specific organizations. How does this differ from past SamSam ransomware attacks? What can enterprises do to mitigate this type of attack?

Malicious actors behind ransomware attacks have been giving increased attention to their victims' incident response planning, business continuity and disaster recovery planning. The attackers are starting by targeting individual systems, then file shares, servers, databases and now multiple computers on the same network, thus impacting an entire organization.

Attackers continue to use unpatched vulnerabilities to acquire system access to a targeted system, which they then inject with ransomware -- and the SamSam malware authors continue to develop new ways to monetize access to systems.

Sophos recently published a whitepaper on how malicious developers continue to add new functionality to SamSam ransomware so that it can be used in targeted attacks.

The current SamSam ransomware's basic functionality is deployed in targeted attacks and uses batch files to automate attacks, but recent updates to SamSam have enabled victims to pay to recover data for individual systems and make the attack more modular.

The developers of the SamSam ransomware moved the functionality for decrypting the attack payload to an external DLL requiring a password, making it easier to modify the functionality, avoid detection and adapt to different situations. Requiring a password to execute the SamSam decryptor could make analysis more difficult.

Sophos also released indicators of compromise for the updated SamSam ransomware samples and the decryptor module. Enterprises can mitigate this attack -- starting with basic security controls -- to prevent ransomware using the indicators of compromise from Sophos.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing