New versions of the SamSam ransomware will not execute unless the person running the malware's payload enters a special password via the command-line.
This is a new protection mechanism added by the SamSam crew in a recent SamSam version discovered by Malwarebytes researchers.
Previous versions did not feature this mechanism, meaning anyone who found a SamSam binary could have infected his computer by double-clicking and running the file.
Modification aimed at security researchers
But the addition of this password-protection system has nothing to do with end users.
The SamSam ransomware is the creation of a group who deploys it only on rare occasions, usually after hacking into the private networks of large companies or government institutions. The ransomware is not something someone finds in spam emails or lying around the web.
The password has been added to prevent security researchers from executing the ransomware binary, in case they stumble upon a working version, and limit what kind of information they can gather about the SamSam's latest version.
Researchers say this is a new addition to the SamSam ransomware, a strain that has slowly evolved in the past year. Proof stands recent reports from fellow cyber-security firms that have also analyzed the ransomware, but where the password-protection system was not in place.
For example, reports from
Sophos,
Crowdstrike,
Secureworks, and a
previous Malwarebytes analysis did not mention the password-protection system that appears to have been added this month.