SamSam: the new variant requires direct human involvement

The newest SamSam version requires to enter a password to run the payload

SamSam is a file-encrypting virus which has been recently upgraded with direct human involvement feature.

SamSam is the latest upgraded cyber threat which has an impressive new feature — the attacker must enter a password via the command-line to run the payload and start data encryption on the targeted device^[1]. Likewise, the crypto-malware cannot spread automatically.

Previously, anyone having the payload of SamSam could infect their computers by merely double-clicking on the executable file. Now, only specific systems approved by the attackers remotely via the command-and-control (C&C)^[2] server can be infected and encrypted.

This is a major difference from the vast majority of ransomware, or even malware, out there <…> SamSam is not the type of ransomware that spreads like wildfire. In fact, this ransomware quite literally cannot spread automatically and naturally.

Security researchers struggle with the analysis of the main payload

Since SamSam ransomware^[3] cannot be executed on a random computer by simply downloading it, cybersecurity experts are unable to try the test version and analyze the primary payload of the file-encrypting virus. This malware update is a significant change to the cyber community.

However, they have detected five fundamental components which are required for the activation of the ransomware — one of them is the direct human involvement, and other four are simple system files. According to the analysis, one of the files contain ransomware settings and is executed manually. It is designed to run a .NET file which decrypts encoded stub file and allow the attacker to enter the password and execute bat file^[4].

Keep in mind that the developers of SamSam virus do not distribute this malicious program via spam emails or other standard techniques. They only hack into the networks and servers of large-scale companies and execute the ransomware for more significant profits.

Likewise, this SamSam password protection will only increase the chances of more successful infections and harder possibilities for decryption. Although, security researchers add that the password might only be obtained if it is intercepted during the attack.

Previous SamSam attacks in 2018

It is evident that the authors of SamSam ransomware have a goal — develop successful targeted attacks. Unfortunately, they have started to reach their goal as this strain of crypto-malware has been exceptionally active in the first quarter of 2018.

The most significant attack was when SamSam disrupted the IT network of the whole Atlanta City leading to massive data and financial losses. The primary targets are large-scale organizations, such as hospitals, governmental institutions, or international corporations^[5].

The author attacks victims he has specifically chosen. And this is what makes this ransomware so interesting. The author is not just after a quick buck; instead, he prefers to have his payload remain a secret so he can continue to take down only the people he chooses.