SamSam ransomware has evolved to use controlled distribution to target computers
SamSam ransomware is the latest encryption malware, which has been making the rounds in a series of attacks. You may have heard of it when it made the news earlier this year, for infecting hospitals and Government institutions. Though the malware was discovered sooner, ever since it has been found to have evolved.
In other words, it is an elusive malware, in that its attack strategies have been modified. Several companies like Malwarebytes, Sophos and Crowdstrike have analyzed the threat and the discoveries are quite alarming.
The reports say that this ransomware’s evolution has made it difficult to detect or even track. What does this mean? The malware’s coders appear to have added more features and changed it drastically, to the point that it may slip through most antivirus scanners.
More specifically the latest discovery reveals that the ransomware requires a password, for the attack to begin. Earlier versions simply infected the victim computer, when the file was run by the user. Now, the hackers who distribute the ransomware need to use a password from the command line interface to infect the PC.
The good news however, is that this SamSam ransomware will not infect the majority of users, like WannaCry did. The bad news, is that the attackers are using targeted distribution. That means the attacker can choose specifically which network or PC to attack. Remote desktop protocols, File Transfer protocols, and java based web servers are among the targeted networks which the SamSam ransomware impacts.
The infection itself involves a 5 step process as described in the flow chart featured here. The attacker executes a bat file on the compromised computer using the password, or a .NET dll decrypts the AES stub with the key. This results in the malware payload being delivered, to encrypt the data on the targeted PC.
Cisco’s Talos had discovered that the Bitcoin wallet address used by the ransomware to which ransoms had been paid, but even this has changed at least twice since then.
The password which the attackers use is unknown, so it may not be possible for malware researchers to find a fix. And this is only made worse by the fact that the password seems to be unique in each attack.
If the origin of the attacks is not discovered or if researchers don’t find a way around the password it seems like this could very well be an impossible task to stop it, given the unpredictable attack pattern of the malware.