Tag Archives: SamSam

Ransomware and support scam updates


Updates to Specific Ransomware Families and Types

The Register: Please forgive me, I can’t stop robbing you: SamSam ransomware earns handlers $5.9m – “Sophos has been investigating the SamSam campaign since its emergence. A study (PDF) based on this research – released on Tuesday – summarises its findings about the attacker’s tools, techniques and protocols.” For ZDnet, Danny Palmer tells us that This destructive ransomware has made crooks $6m by encrypting data and backups – “Attackers behind destructive SamSam ransomware show no signs of giving up – and they’re now taking $300,000 a month in ransom from victims.”

Bleeping Computer: BitPaymer Ransomware Infection Forces Alaskan Town to Use Typewriters for a Week – “In a PDF report published yesterday, Wyatt finally identified the “virus” as the BitPaymer ransomware. This ransomware strain was first spotted in July 2017, and it first made news headlines in August 2017 when it hit a string of Scottish hospitals.”

Updates to Tech support scams resource page

Sean Gallagher for ArsTechnica: Click on this iOS phishing scam and you’ll be connected to “Apple Care” – “This phishing attack also comes with a twist—it pops up a system dialog box to start a phone call. The intricacy of the phish and the formatting of the webpage could convince some users that their phone has been “locked for illegal activity” by Apple, luring users into soon clicking to complete the call.”

Commentary from Sophos: Porn-warning security scam hooks you up to “Apple Care”


3rd May AVIEN resources updates

Updates to Anti-Social Media 

Kaspersky Threat Post: TENS OF THOUSANDS OF MALICIOUS APPS USING FACEBOOK APIS – “At least 25,936 malicious apps are currently using one of Facebook’s APIs, such as a login API or messaging API. These allow apps to access a range of information from Facebook profiles, like name, location and email address.”

The Register:

Talking of Zuckerberg, here’s his summary of the forthcoming ‘Clear History’ control.

Updates to Cryptocurrency/Crypto-mining News and Resources

Catalin Cimpanu for Bleeping Computer: New MassMiner Malware Targets Web Servers With an Assortment of Exploits

The Register: Whoa, Gartner drops a truth bomb: Blockchain is overhyped and top IT bods don’t want it – “Didn’t you know it’s panacea to all corporate woes, bro?!”

Gad Naveh for Help Net: Dig this: The future of crypto-mining botnets

Trend Micro: Cryptocurrency-Mining Malware Targeting IoT, Being Offered in the Underground

Updates to Meltdown/Spectre and other chip-related resources

Hilbert Hagedoorn for The Guru of 3-D: Eight new Spectre Variant Vulnerabilities for Intel Discovered – four of them critical

The Register: Hands off! Arm pitches tamper-resistant Cortex-M35-P CPU cores – “Sneaky processors look to keep lid on sensitive IoT data”

ESET: further updates to Meltdown and Spectre CPU Vulnerabilities: What You Need to Know

Updates to Internet of (not necessarily necessary) Things

The Register: Hands off! Arm pitches tamper-resistant Cortex-M35-P CPU cores – “Sneaky processors look to keep lid on sensitive IoT data”

Trend Micro: Cryptocurrency-Mining Malware Targeting IoT, Being Offered in the Underground


Richi Jennings for Tech Beacon: VW bugs: “Unpatchable” remote code pwnage – “Two security researchers have excoriated Volkswagen Group for selling insecure cars. As in: hackable-over-the-internet insecure.”

Updates to Specific Ransomware Families and Types

Paul Ducklin for Sophos: “SamSam” ransomware – a mean old dog with a nasty new trick

David Harley

Resource updates 28th March 2018

Updates to Anti-Social Media

Updates to Specific Ransomware Families and Types

Updates to Meltdown/Spectre – Related Resources

Updates to Cryptocurrency/Crypto-mining News and Resources

Updates to Mac Virus



Updates to Chain Mail Check

AVIEN resource page updates 22nd February 2018



Specific Ransomware Families and Types

David Harley

Ransomware Roundup – 19th April 2016

Proofpoint’s analysis of malware they call CryptXXX can be found here: CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler. Proofpoint observes that it has seen ‘an Angler EK into Bedep pass pushing both a ransomware payload and Dridex 222. Which may or may not be connected to the fact that Spamfighter has reported that Dridex is implicated in the distribution of ransomware. Spamfighter’s article – Security Researchers Discover Admin Panel of Dridex, Leverage Vulnerability and Hijack Backend – summarizes a report from Buguroo: Report: Analysis of Latest Dridex Campaign Reveals Worrisome Changes and Hints at New Threat Actor Involvement. The Buguroo page suggests that vulnerabilities in the Dridex infrastructure are responsible for its being used to distribute Locky. I haven’t read the full report – it requires registration.

An article by Emily Sweeney for the Boston Globe 5 things to know about ransomware is essentially a personal recollection of being a victim coupled with some basic advice, but it’s not bad advice. Except that the point I’d always stress about backups is the need to ensure that they’re not so easily accessible that reasonably advanced ransomware will be able to encrypt the backed-up material at the same time. And don’t access your offline backups until you’re sure the malware has been eradicated.

Meanwhile, a Spiceworks post describes a couple of very bad days for a sysadmin of which a Cryptowall attack was just a part. A salutary reminder that disasters aren’t always considerate enough to happen one at a time, and that it’s always worth over-engineering a corporate backup strategy.

Sean Gallagher (or at any rate an editor looking for an eye-catching headline) for Ars Technica tells us OK, panic—newly evolved ransomware is bad news for everyone – Crypto-ransomware has turned every network intrusion into a potential payday. I don’t think panic is the best response to the ransomware problem, but there’s certainly an argument for informed concern, and the article does describe some aspects that we should indeed be concerned about and take steps to address.

And for the Register, Iain Thompson summarizes the issues around SamSam’s migration from hospitals to schools and the should-have-been-patched-long-ago JBoss vulnerability that Talos has flagged previously.

David Harley

I do not like that SamSam-I-am ransomware

Darren Pauli for the The Register flags the rise of a ransomware variant that, according to Talos, has ‘a particular focus on the healthcare industry’.

Pauli’s article: Hospital servers in crosshairs of new ransomware strain – SamSam virus is highly contagious and Bitcoin’s the only known cure. He also summarizes Maktub, which resembles SamSam in that  files are encrypted offline and C&C infrastructure is not used for payment.

The Talos blog with more technical detail: SAMSAM: THE DOCTOR WILL SEE YOU, AFTER HE PAYS THE RANSOM

Malwarebytes analysis of Maktub: Maktub Locker – Beautiful And Dangerous

Commentary by Sean Gallagher for Ars Technica: Two more healthcare networks caught up in outbreak of hospital ransomware – New server-targeting malware hitting healthcare targets with unpatched websites.

David Harley