New Sleeper Strain of SamSam Ransomware
Bypasses AV And Stays Hidden On Your Network
The ransomware strain that crippled several cities and school districts in the U.S. earlier this year is back with more tricks up its sleeve to avoid detection.
If you haven’t heard of SamSam, you haven’t been paying attention. Just one example of the kind of destruction they can cause is the recent attack on the Colorado Department of Transportation which caused downtime for 2,000+ systems.
This new SamSam strain adds a human element to its already devious mix of evasive techniques to keep antivirus, endpoint, and even more advanced security software from detecting it.
SamSam avoids being discovered using sophisticated methods of constructing its payload and how it executes. In a recent blog, endpoint protection company Malwarebytes provides a detailed technical explanation of how this new variant of SamSam works.
Your Executive Summary
Your executive summary is this SamSam strain avoids detection using three advanced techniques:
- It decrypts the payload only at run-time, making it nearly impossible to identify and analyze.
- The loader, payload, and logs are wiped, leaving very few traces behind for any forensics or scanning tools.
- It requires a password to be entered by the threat actor to run in the first place.
It’s that last part of the attack that makes this latest strain so dangerous. Unlike most ransomware strains which are designed to spread automatically, this new strain of SamSam is designed for targeted attacks.
By requiring a password, the payload remains encrypted (and, therefore, an absolute secret), only woken up when and where the bad guys choose to unleash it in your network, all at the same moment to create the biggest impact and damage.