Attackers are using a new variant of the SamSam ransomware to compromise and take down users of their choosing.
As discovered by Malwarebytes, the new SamSam variant requires direct human interaction from the attacker to execute the payload.
Malwarebytes said the most important point of the latest ransomware campaign is the use of a password that has to be manually entered by the attacker.
“Without knowing the password, we cannot analyze the ransomware code. But what is more important to note is that we cannot even execute the ransomware on a victim or test machine. This means that only the author, (or someone who has intercepted the author’s password) can run this attack,” Malwarebytes said.
An analysis of the SamSam workflow is described in figure below:
SamSam attack method workflow diagram (source: Malwarebytes)
In conclusion, this SamSam malware campaign threat isn’t being used to spread automatically to other systems, like other forms of ransomware.
Since SamSam requires human involvement from the attacker, it is used for targeted attacks of specifically chosen victims. With the use of a password, the author can keep the payload a secret and more easily take down future victims.