A new report says an unusual strain of ransomware is leading a new generation of malicious software that hackers use to exploit computer server vulnerabilities.

Companies must act to keep the situation from worsening, Cisco warns.

The report Monday by Cisco Systems Inc.’s Talos security research group describes how virus-like software known as “samsam” works. It worms its way through networks without requiring someone to click a link to open an infected attachment.

“The past few years have seen a dramatic uptick in ransomware variants and their deployment on a global scale due. Cyber criminals see an easy opportunity for profit. It is inevitable that these adversaries would look to the past for effective malware behaviors to advance the efficacy of ransomware. Combined with new methodologies in targeting, we anticipate a trend towards ransomware that can self propagate and move semi-autonomously throughout a network to devastating effect,” the researchers wrote.

“To emphasize this, one need look no further than SamSam.exe, the malware sample recovered from a number of scattered enterprise network breaches mainly targeting the healthcare vertical. SamSam isn’t complex, and it not fully self-sufficient, but it does exhibit some of the behaviors of a successful worm – rapid propagation, payload delivery (ransomware), and crippling recovery efforts. The age of self-propagating ransomware, or ‘cryptoworms,’ is right around the corner.

“For too long, critical security controls and best practice for enterprise network security has been publicly praised and privately ignored. Drop-in appliances and security solutions can only do so much to protect the network, and will do little to stop this threat if networks continue to be architected and expanded without defense in depth in mind. If enterprises don’t start making strides towards defensible architecture today, massive ransoms may end up getting paid tomorrow.”

This type of attack hit the MedStar Health Inc. hospital chain last month.

Hackers target backup files and records, encrypting them to make them an unreadable gobbledygook of characters. To regain access, users often pay a ransom in the difficult-to-trace digital currency known as bitcoin.


Ransomware: The backstory

From Talos report:

“Ransomware as we know it today has a sort of ‘spray and pray’ mentality; they hit as many individual targets as they can as quickly as possible. Typically, payloads are delivered via exploit kits or mass phishing campaigns. Recently a number of scattered ransomware campaigns deliberately targeting enterprise networks, have come to light. We believe that this is a harbinger of what’s to come — a portent for the future of ransomware.

“Traditionally, malware was never terribly concerned with the destruction of data or denial of access to its contents; With few notable exceptions, data loss was mostly a side-effect of malware campaigns. Most actors were concerned with sustained access to data or the resources a system provided to meet their objectives. Ransomware is a change to this paradigm from subversion of systems to outright extortion; actors are now denying access to data, and demanding money to restore access to that data.”


Read the full report at:

http://blog.talosintel.com/2016/04/ransomware.html