Connect with us

Hi, what are you looking for?


Malware & Threats

The Rapid Evolution of Ransomware in the Enterprise

If you work in information security, the odds are high that you spend a significant amount of time battling ransomware. In a previous article, I covered the fundamental issues and economics that are fueling the rise of this particular type of malware.

If you work in information security, the odds are high that you spend a significant amount of time battling ransomware. In a previous article, I covered the fundamental issues and economics that are fueling the rise of this particular type of malware. For the TLDR crowd, it boils down to profitability – ransomware doesn’t require a complex ecosystem to monetize stolen data and practically any data is fair game.

And while early versions of ransomware targeted individuals, the approach is now rapidly evolving and been successfully adapted to target enterprises. This has literally raised the stakes, prompting considerable changes to current best practices in order to protect data from ransomware.

Ransomware meets the APT

The combination of ransomware and advanced persistent threats may sound like a 1950s monster movie for cybersecurity professionals, but it is unfortunately becoming a reality. Recent research from Microsoft into the Samas strain of ransomware (also known as MSIL) reveals a far more targeted and patient approach to extorting money from enterprises.

The Samas operation begins by using a common vulnerability scanner to find potential victims. However, things get more interesting once the initial victim is found. Attackers then leverage a tunneling tool called reGeorg. Using this tunnel, attackers run a variety of tools inside the network to extend the threat and lay the groundwork for a more strategic approach to ransomware. 

With initial access established, attackers capture credentials from compromised machines to extend their reach further into the network. Then they spread malware to other machines in the network using the old Windows Internals tool, PsExec.

This is when things take an even more insidious turn. Next, attackers scan the network and compromised devices for backup files. If backup files are found, they are deleted before the attackers begin encrypting files.

Adapting your defenses

Advertisement. Scroll to continue reading.

The evolution of ransomware from simple malware to more persistent attacks has a major impact on the way security teams have to think about mitigation. A solid data backup plan has traditionally been a lynchpin in the fight against ransomware. If you can replace the encrypted data, then the would-be extortionists have no leverage.

But with Samas, attackers go the extra mile to seek out and destroy backups prior to encryption. Although it currently seems to be limited to searching for local backups, the strategy could extend to cloud-connected backup as well. The same user credentials that cybercriminals use in other attack phases can be repurposed to access remote cloud backups.

The good news is that these complex attacks give security teams ample opportunities to detect threats before damage is done. External tunnels like reGeorg enable all sorts of remote attacker mischief that can be detected if you know what to look for. Likewise, credential abuse and the internal spread of malware leave behavioral footprints that security teams can detect if internal traffic is monitored.

In this regard, ransomware in the enterprise is the new face on an attack trend we have seen before. Commodity threats often target as many victims as they can to make money in bulk. However, as threats mature and focus on the enterprise, it behooves attackers to be more patient and persistent in their search for high-value data within an organization.

Whether attackers want to steal data or encrypt it for ransom, the focus on key assets remains consistent. It comes as no surprise to see ransomware travel the same evolutionary path as other threats. The end result may be damage instead of theft, but the strategy is the same.

The upside is that our defensive strategies still apply in either case. Attackers will continue to get in the front door, but if we look for the progression of the attack, we can stop the threat before damage is done.

Related: Ransomware: A Formidable Enterprise Threat

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.