SamSam

New versions of the SamSam ransomware will not execute unless the person running the malware's payload enters a special password via the command-line.

This is a new protection mechanism added by the SamSam crew in a recent SamSam version analyzed and detailed by Malwarebytes, Sophos, and Crowdstrike researchers.

Previous versions did not feature this mechanism, meaning anyone who found a SamSam binary could have infected his computer by double-clicking and running the file.

Modification aimed at security researchers

But the addition of this password-protection system has nothing to do with end users.

The SamSam ransomware is the creation of a group who deploys it only on rare occasions, usually after hacking into the private networks of large companies or government institutions. The ransomware is not something someone finds in spam emails or lying around the web.

The password has been added to prevent security researchers from executing the ransomware binary, in case they stumble upon a working version, and limit what kind of information they can gather about the SamSam's latest version.

Researchers say this is a new addition to the SamSam ransomware, a strain that has slowly evolved in the past year. Besides Malwarebytes, past Sophos and Crowdstrike have also spotted the same password-protection mechanism.

New SamSam modus operandi
New SamSam modules and modus operandi [Source: Malwarebytes report]

"That password appears to be set at compile time, which means each campaign may have a different password associated with it," Allan Liska, Senior Solutions Architect at Recorded Future, told Bleeping Computer.

"While, to the best of our knowledge, the SamSam group is not a nation state actor, these tactics, protecting the code from security researchers and limiting the exposure of your tools, are very similar to what nation state actors do," Liska added.

Timeline of SamSam attacks in 2018

While other ransomware strains are more widespread, being the subject of massive malspam and exploit kit-based distribution efforts, such as Dharma, GlobeImpostor, or Scarab, the SamSam ransomware is today's most famous and well-known strain.

This is because the group behind SamSam has been quite active in the first quarter of 2018, hitting countless of targets such as hospitals, city councils, ICS firms, state agencies, and many more.

SamSam garnered worldwide notoriety when it brought the city of Atlanta's IT network to its knees, an infection the municipality has just barely recovered from, but not after suffering pretty huge data and financial losses.

SamSam 2018 timeline
Timeline of 2018 SamSam attacks [Source: Barkly]

Article updated to reflect that Sophos and Crowdstrike have spotted the password-protection system and detailed it in previous reports.

Related Articles:

New Reports Show Increased CyberThreats, User Risks Remain High

The Week in Ransomware - September 28th 2018 - RDP and gandCrab

Emotet Banking Trojan Loves U.S.A Internet Providers

The Week in Ransomware - November 9th 2018 - Mostly Dharma Variants

SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords