Security researchers have discovered a new variant of SamSam ransomware with additional features making it trickier to detect and track. One noteworthy addition to the malware code is password protection that needs to be manually entered by the attacker, without which researchers cannot analyze the ransomware code.
Security researchers from Malwarebytes said the new variant comes with updated features and modules, and seems to interact differently than previous versions.
"These changes do not necessarily make the ransomware more dangerous, but they are added to make it just a bit more tricky to detect or track as it is constantly changing," researchers said in a blog post.
However, one feature that hasn’t changed is the ransomware payload which is run-time decrypted - a characteristic that differentiates SamSam from other ransomware strains.
“This is the most distinguishing trait about this ransomware, the single feature that makes it unique. This encrypted payload scheme explains why it is extremely difficult to find a sample of the actual payload code,” researchers said.
SamSam ransomware attacks consist of five main components - four of which are actual files while the fifth is the manual input that requires direct human involvement. The first component of the attack is a batch file that contains settings for the ransomware. It is also the only portion that the threat actor actually manually executes. The batch file then runs a .NET exe file that is used to decrypt an encrypted stub file. The attacker must enter a password to execute the bat file onto the targeted computer.
“As analysts, without knowing the password, we cannot analyze the ransomware code,” researchers said. “But what is more important to note is that we cannot even execute the ransomware on a victim or test machine. This means that only the author, (or someone who has intercepted the author’s password) can run this attack.”
Careful, targeted infections
Researchers noted noted that anyone who accidentally downloads and executes the malware may not be harmed at all since it requires a password for the payload to execute.
Unlike most well-known ransomware families that attempt to infect random targets, SamSam attackers use it against specific, targeted organizations - those most likely to pay up to get their data back.
The SamSam ransomware was also used in several high profile targets such as the city of Atlanta in late March, bringing municipal operations to a grinding halt.
“This is a major difference from the vast majority of ransomware, or even malware, out there. SamSam is not the type of ransomware that spreads like wildfire,” researchers said. “In fact, this ransomware quite literally cannot spread automatically and naturally.
“It requires the human involvement of the creator, which means it was developed for a single purpose: targeted attacks. The author attacks victims he has specifically chosen. And this is what makes this ransomware so interesting. The author is not just after a quick buck; instead, he prefers to have his payload remain a secret so he can continue to take down only the people he chooses.”