New versions of the SamSam ransomware will not execute unless the person running the malware's payload enters a special password via the command-line.
This is a new protection mechanism added by the SamSam crew in a recent SamSam version analyzed and detailed by Malwarebytes, Sophos, and Crowdstrike researchers.
Previous versions did not feature this mechanism, meaning anyone who found a SamSam binary could have infected his computer by double-clicking and running the file.
But the addition of this password-protection system has nothing to do with end users.
The SamSam ransomware is the creation of a group who deploys it only on rare occasions, usually after hacking into the private networks of large companies or government institutions. The ransomware is not something someone finds in spam emails or lying around the web.
The password has been added to prevent security researchers from executing the ransomware binary, in case they stumble upon a working version, and limit what kind of information they can gather about the SamSam's latest version.
Researchers say this is a new addition to the SamSam ransomware, a strain that has slowly evolved in the past year. Besides Malwarebytes, past Sophos and Crowdstrike have also spotted the same password-protection mechanism.
"That password appears to be set at compile time, which means each campaign may have a different password associated with it," Allan Liska, Senior Solutions Architect at Recorded Future, told Bleeping Computer.
"While, to the best of our knowledge, the SamSam group is not a nation state actor, these tactics, protecting the code from security researchers and limiting the exposure of your tools, are very similar to what nation state actors do," Liska added.
While other ransomware strains are more widespread, being the subject of massive malspam and exploit kit-based distribution efforts, such as Dharma, GlobeImpostor, or Scarab, the SamSam ransomware is today's most famous and well-known strain.
SamSam garnered worldwide notoriety when it brought the city of Atlanta's IT network to its knees, an infection the municipality has just barely recovered from, but not after suffering pretty huge data and financial losses.
Article updated to reflect that Sophos and Crowdstrike have spotted the password-protection system and detailed it in previous reports.