A ransomware campaign with an unusual method of propagation—infecting servers via unpatched vulnerabilities, then spreading laterally across the local network—experienced a marked spike in activity Monday, according to researchers at Talos. While the m.o. is uncommon for ransomware, the primary target is not: the healthcare industry.

Whereas most ransomware spreads through phishing campaigns, malvertising and exploit kits, this particular malware, dubbed Samas or Samsam, spreads through unpatched vulnerabilities in both JBoss application servers and REGeorg, an open-source framework that creates socks proxies. In other words, users don’t have to perform an action like clicking on a malicious link to download the ransomware; instead, bad actors can trigger SamSam remotely through software flaws.

The adversaries behind this campaign are specifically scanning for and targeting machines containing these vulnerabilities. Consequently, SamSam ransomware campaigns are smaller in scope than conventional CryptoLocker, Locky or TeslaCrypt campaigns, but they also achieve much higher rates of successful infection.

“I think this is really the next evolution of the ransomware game,” said Craig Williams, senior technical leader and security outreach manager at Talos, the research division of Cisco, in an interview with SCMagazine.com.