SamSam ransomware is not new to researchers. It has already caused severe damages to numerous entities worldwide. Recently, researchers have discovered a SamSam variant malware that is equally robust. Plus, it has a unique feature that distinguishes it from most other ransomware. It requires the attacker to enter a password before infecting any system.
The Newly Discovered SamSam Variant Is Much More Targeted
Security researchers at Malwarebytes Labs have found malware that resembles the SamSam ransomware but it has some differences too. This SamSam variant exhibits a blend of new features and alterations that do not specifically make it more dangerous, rather they make it trickier to detect.
The new ransomware does not spread like a ‘wildfire’ – it means it does not replicate on its own. Instead, it demands human input to wage an attack. Precisely, the attacker running the payload must enter a specific password through the command line to execute the malware. In this way, the malware cannot be run by just any other person. Rather only the one knowing the author’s password can execute or access the ransomware.
Even Malwarebytes Labs’ researchers faced issues when accessing the code. As stated in their blog post,
“As analysts, without knowing the password, we cannot analyze the ransomware code. But what’s more important to note is that we can’t even execute the ransomware on a victim or test machine. This means that only the author (or someone who has intercepted the author’s password) can run this attack.”
This SamSam variant ransomware is much more targeted in nature. Even if the ransomware is present in a system, it will not infect it without entering the password. Hence, anyone using this malware must have targeted victims in mind.
On the other hand, the attacker remains successful in keeping the payload secret in case of accidental downloads. That’s how detecting this ransomware early is more difficult.
Password Protection Makes Malware Campaigns More Distinct
Previously, SamSam would begin an attack simply by clicking the binary file. It never spread through emails or other regular malicious techniques. However, with the addition of a password requirement, the ransomware becomes even more specific in its selection of victims. The attacker literally knows who he is targeting, and when, since he is the one responsible to enter the password.
Allan Liska, Senior Solutions Architect Recorded Future, told Bleeping Computer that the attackers may even have separate passwords for separate campaigns.
“That password appears to be set at compile time, which means each campaign may have a different password associated with it.”
According to Liska, this password protection may also be an attempt by the attackers to limit the exposure of their code to cybersecurity researchers.
SamSam has been quite popular this year due to its trail of massive cyber attacks that began in early 2018. These even include the high profile attack on Atlanta city.