Malware News SamSam Ransomware: controlled distribution for an elusive malware

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,176
Content source
https://blog.malwarebytes.com/threat-analysis/2018/06/samsam-ransomware-controlled-distribution/
SamSam ransomware has been involved in some high profile attacks recently, and remains a somewhat elusive malware. In its time being active, SamSam has gone through a slight evolution, adding more features and alterations into the mix. These changes do not necessarily make the ransomware more dangerous, but they are added to make it just a bit more tricky to detect or track as it is constantly changing.

When comparing early samples to more recent samples, one thing remains constant: the ransomware payload (the code that actually does disk encryption) is run-time decrypted. This is the most distinguishing trait about this ransomware, the single feature that makes it unique. This encrypted payload scheme explains why it is extremely difficult to find a sample of the actual payload code.

The main differences between the new and old versions of SamSam (which we will cover moving forward) are simply:
  1. The modules used
  2. Their interactions with one another
Rather than covering the old version and then talking about the new one, we will go through the newer SamSam code, and draw some comparisons to the older versions so we can understand its evolution.

Recent SamSam analysis

SamSam’s attacks have five main components to it in order for the compromise to take place. Four of them are actual files, and the fifth is the direct human involvement aspect.


Diagram2.png


Component one is a batch file that contains some settings for the ransomware and is the only portion that the actor is actually executing manually. It runs a .NET exe, which eventually decrypts an encrypted stub file. The attacker executes the bat file on the compromised computer with a password as its command-line parameter. This is the password that gets passed down the chain until the .NET file uses it for decryption. On older versions, it seems that this bat file was not in the chain. The attacker possibly executed the .NET component directly.
Click to expand...


Full Article: SamSam ransomware: controlled distribution for an elusive malware - Malwarebytes Labs
 
  • Like
Reactions: stefanos, Mahesh Sudula, LASER_oneXM and 5 others
You must log in or register to reply here.

Similar threads

Shadowra
    • +Reputation
    • Like
Malware News StopCrypt: Most widely distributed ransomware evolves to evade detection
Replies
3
Views
995
Security News
Victor M
Victor M
Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
September was a record month for ransomware attacks in 2023
Replies
0
Views
702
News Archive
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • +Reputation
    • Thanks
New Rorschach ransomware is the fastest encryptor seen so far
Replies
2
Views
1,331
News Archive
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top