Check Point has issued a threat alert around two particular pieces of ransomware, SamSam and Maktub. While alerts over Ransomware are nothing new it is the tone of this alert that will have many in the security and especially the healthcare industries concerned.
The information was released in a short blog by Gil Sasson, Check Point Research Team. In it he highlights the dangers from these two pieces of ransomware including the fact that neither use Command and Control (C&C) servers as part of their encryption process. This means that identifying and blocking IP addresses, one of the primary methods used by IT departments, is likely to be ineffective.
There are also a range of other differences that makes these two pieces of ransomware different. For example, SamSam is not spread by phishing emails. Instead it scans networks for servers with unpatched software. Once located it installs itself on the server and waits for the attackers to trigger the ransomware process. Having installed itself on one server it then spreads throughout the network checking other servers.
What makes this particularly difficult to manage is that it only takes one successful attack to infect the whole network. Given the level of attacks that IT departments deal with on a daily basis the odds are with the attackers that they can slip through security. As most security is outward not inward facing the ability to spread across the network is also a serious challenge and it highlights the need for all server connections to be treated as if they were external.
Maktub is a new strain of what is believed to be Russian malware. It uses an infected file attachment claiming to be an update for terms and conditions for use of a website. It then carries out two actions on files it is targeting. The first is to compress the files while the second is to encrypt them. Sasson suggests that this approach is to speed up the encryption process as a compressed file is smaller.
Check Point already shipping a solution
In the blog Sasson points out that Check Point already has protection for both SamSam and Maktub. They also provide information on domains used by the ransomware owners to help spread their product. Those solutions are:
- Check Point IPS blade includes various protections for the JBoss platform whose exploitation was observed in the SamSam campaign. In addition, the following protection blocks the Maktub malicious mail attachments: Suspicious Executable Mail Attachment
- Check Point Anti-Virus & SandBlast include relevant Samsam and Maktub indicators for known malicious domains and related files, and includes these Anti-Virus protections:
- Ransomware.Win32.Samsam.*
- Ransomware.Win32.Maktub.*
Healthcare under fire again
Once again we are seeing healthcare as a primary target for the ransomware. There are three reasons for this.
- Systems are believed to be poorly secured making them easier to attack
- The data stored is critical to patient recovery and therefore a payout is more likely
- The spread of healthcare provision with so many organisations integrated electronically makes it an easy infection vector across many sites.
The problem for healthcare IT departments is diverting budget to protect computers rather than that money being spent on patient care. In the US where patient care is heavily privatised there is an incentive to focus on protection of computer. In the UK, by comparison, with spending on IT inside healthcare often deemed to be a waste of money and very politicised it is harder to divert the necessary funds.
All of this makes healthcare a very lucrative market for IT and for cybercriminals. Access to the US healthcare market was one of the key reasons that NTT DATA cited for purchasing the Dell Services unit recently.
Conclusion
These are both indicators of a new approach to ransomware. As security vendors continue to publish lists of affected domains and the domain generating algorithms (DGA) that they use, ransomware creators are fighting back. The use of peer to peer spread is something that has been seen in other security attacks such as the Uroburos attack on the Belgian government. This enabled the malware to reinfect the network months after it was believed to be clean by copying itself back from a device on the network.
The lack of C&C servers does raise some questions as to how easy it will be for companies to identify the indicators of an attack. It shifts the focus back to individual devices and, in the case of SamSam, on patching and updating policies. These two malware strains indicate how quickly the cybercriminals are able to adapt to current attempts to defeat them.
