The ransomware strain that crippled several cities and school districts in the U.S. earlier this year is back with more tricks up its sleeve to avoid detection.
If you haven’t heard of SamSam, you haven’t been paying attention. Just one example of the kind of destruction they can cause is the recent attack on the Colorado Department of Transportation which caused downtime for 2,000+ systems.
This new SamSam strain adds a human element to its already devious mix of evasive techniques to keep antivirus, endpoint, and even more advanced security software from detecting it.
SamSam avoids being discovered using sophisticated methods of constructing its payload and how it executes. In a recent blog, endpoint protection company Malwarebytes provides a detailed technical explanation of how this new variant of SamSam works.
Your Executive Summary
Your executive summary is this SamSam strain avoids detection using three advanced techniques:
- It decrypts the payload only at run-time, making it nearly impossible to identify and analyze.
- The loader, payload, and logs are wiped, leaving very few traces behind for any forensics or scanning tools.
- It requires a password to be entered by the threat actor to run in the first place.
It’s that last part of the attack that makes this latest strain so dangerous. Unlike most ransomware strains which are designed to spread automatically, this new strain of SamSam is designed for targeted attacks.
By requiring a password, the payload remains encrypted (and, therefore, an absolute secret), only woken up when and where the bad guys choose to unleash it in your network, all at the same moment to create the biggest impact and damage.
Do You Want The Good News Or The Bad News?
The good news is that, should users accidentally download this strain of ransomware, or your network is compromised via an RDP brute-force attack, the payload is harmless without the password to run it. The bad news is, should the SamSam gang decide that your organization is next up to be extorted, all your users will be sitting on their hands for possibly weeks if your backups fail.