Malwarebytes researchers spotted a newer version of the malware which uses modules and interacts differently than the older version. The campaign was difficult for researchers to analyze because a password had to be entered manually by the attacker in order for researchers to in order to access the malware's code.
Researchers cannot even execute the ransomware on a victim or test machine meaning only the author or someone who has intercepted the author's password can run the attack.
“This is a major difference from the vast majority of ransomware, or even malware, out there,” researchers said in the post. “SamSam is not the type of ransomware that spreads like wildfire. In fact, this ransomware quite literally cannot spread automatically and naturally.”
If a victim accidentally downloads and executes the malware they won't be harmed since a password is required to run the payload. Because the malware requires human interaction from its creator, victims are specifically chosen meaning the author isn't out for a quick buck, but instead prefers to keep the attack payload a secret so that they can only take down those who have been chosen.
Researchers were able to identify five main components that allow the compromise to take place, four of which are actual files while the fifth is the manual input from the attacker.
The first component of the attack is a batch file containing settings for the ransomware and is the only portion that the actor is actually executing manually. That files runs a .NET exe, which eventually decrypts an encrypted stub file. The attacker will enter their password to execute the bat file on the compromised computer.
Ultimately, SamSam has been used in several high profile attack including the one that took out Atlanta city government systems and has remained an elusive malware.