FBI warning over new strain of ransomware targeting servers
Agency wants industry help in shutting down MSIL/Samas.A
An especially pernicious genre of ransomware targeting servers has provoked the US security service, the FBI, to ask for help from the security industry.
According to a report on Reuters, the FBI has sent out an alert about the MSIL/Samas.A threat in a message saying: "We need your help!" which it does every now and then, but rarely chooses to discuss publicly.
Cisco Talos has already warned individuals and organisations to beware of MSIL/Samas.A. In a blog post last week, it warned: "Cisco Talos is currently observing a widespread campaign leveraging the Samas/Samsam/MSIL.B/C ransomware variant. Unlike most ransomware, SamSam is not launched via user-focused attack vectors, such as phishing campaigns and exploit kits."
It continued: "This particular family seems to be distributed by compromising servers and using them as a foothold to move laterally through the network to compromise additional machines, which are then held for ransom. A particular focus appears to have been placed on the healthcare industry."
Malware is becoming an increasingly widespread security threat. Anti-virus software specialist Trend Micro has identified a new crypto-ransomware variant it has dubbed Petya, which it said is delivered via Dropbox and other official mechanisms.
"We do note that this isn't the first time that malware has abused a legitimate service for its own gain. However, this is the first time (in a long time) that it leads to crypto-ransomware infection. It is also a departure from the typical infection chain, wherein the malicious files are attached to emails or hosted in malicious sites and delivered by exploit kits," said Trend Micro in a blog post.
"Reportedly, Petya is still distributed via email. Victims would receive an email tailored to look and read like a business-related missive from an 'applicant' seeking a position in a company. It would present users with a hyperlink to a Dropbox storage location, which supposedly would let the user download said applicant's CV."
Dropbox moved fast to strip the infected files from its service, and was applauded for its quick response. "We take any indication of abuse of the Dropbox platform very seriously and have a dedicated team that works around the clock to monitor and prevent misuse of Dropbox," the company added in a statement.
"Although this attack didn't involve any compromise of Dropbox security, we have investigated and have put procedures in place to proactively shut down rogue activity like this as soon as it happens."
Join Computing next week in our free web seminar, Better meetings through technology - and common sense.