SamSam ransomware: controlled distribution for an elusive malware | Advanced Mobile Spy Software
Disclaimer: This is only a partial analysis, as there are manual steps in deploying this ransomware. The artifacts we worked with did not include the actual ransomware payload— that can only be launched using correct parameters, most likely entered manually by the threat actor. SamSam ransomware has been involved in some high profile attacks recently, and remains a somewhat elusive malware. In its time being active, SamSam has gone through a slight evolution, adding more features and alterations into the mix. These changes do not necessarily make the ransomware more dangerous, but they are added to make it just a bit more tricky to detect or track as it is constantly changing. When comparing early samples to more recent samples, one thing remains constant: the ransomware payload (the code that actually does disk encryption) is run-time decrypted. This is the most distinguishing trait about this ransomware, the single feature that makes it unique. This encrypted payload scheme explains