The destructive SamSam ransomware raked in nearly $6 million in ransom payments for its creators since 2015. UK cybersecurity firm Sophos, in partnership with cryptocurrency monitoring firm Neutrino, assessed that the authors behind the SamSam ransomware attacks have earned at least $5.9 million since the malware was first spotted in the wild in December 2015.

While typical ransomware are usually spread through widespread spam campaigns sent to thousands of people in an attempt to infect potential victims, SamSam has been leveraged in targeted and coordinated attacks against carefully selected enterprises for a larger payout.

Modus operandi

SamSam ransomware attacks begin with infiltration of the victim's system through remote desktop protocol (RDP) compromise, surveilling the system for vulnerabilities to exploit before manually running the malware to encrypt files. Researchers found that the attacks typically happen at night time while the victims are asleep.

Once the files are encrypted, the attackers demand a significant bitcoin ransom payment in exchange for the decryption keys. The ransom demands have swelled over time and now amount to over $50,000.

"Unlike other well-known ransomware such as WannaCry or NotPetya, SamSam doesn’t have any worm-like or virus capabilities, so it can’t spread by itself," Sophos noted. "Instead, it relies on the human attacker to spread it – an attacker who can adapt their tactics according to the environment and defences they discover as they surveil the target.

By working in this way, the attacker can try over and over again to work around defences and gain the access they want. If the SamSam attacker is on your network they will likely stay on it until they succeed, unless they’re kicked off."

Once the attack has been launched, the attackers simply have to wait to see if the victim has attempted to make contact via a dark web payment site mentioned in the ransom note. Victims are typically given about seven days to pay up or, for an additional fee, extra time to transfer the bitcoin.

Victims and payments

Analyzing payments made into bitcoin wallets owned by the attackers, Sophos researchers found they have received more than $5.9 million and counting - dwarfing earlier estimates that the attackers have earned just $850,000 so far.

An estimated 233 victims paid a ransom to the SamSam ransomware attackers, out of which just 86 went public with the fact that they paid the attackers. This year, the number of payments received per month peaked at 10.

Although the most notable SamSam ransomware attacks involved the city of Atlanta and several healthcare and government targets, researchers said the ransomware actually doesn't specifically target these sectors. Half of the SamSam ransomware attacks have been against private sector organizations while a quarter have been against healthcare, 13% against government agencies and 11% against educational institutions.

About 74% of the victim organizations are based in the US, followed by Belgium (6%), Canada (5%) and Australia (1%).

One-man army

The author behind SamSam is still unknown, researchers noted that they do invest heavily in covering their tracks and remaining anonymous. They also suggested that a single individual could be running the show.

"The consistency of language across ransom notes, payment sites, and sample files, combined with how their criminal knowledge appears to have developed over time, suggests that the attacker is an individual working alone," the report reads. "This belief is further supported by the attacker’s ability not to leak information and to remain anonymous, a task made more difficult when multiple people are involved. The attacker’s language, spelling and grammar indicates that they are semi-proficient in English but they frequently make mistakes."

Staying protected

While most of the ransomware attacks are coming via RDP, organizations have been advised to restrict access to port 3389 to close any loopholes and minimize potential vectors of attacks. Users have also been advised to employ multi-factor authentication and avoid relying on default or similar passwords across systems. Completing regular vulnerability scans, penetration tests and creating backups that are both offsite and offline are also recommended as well.

Cyware Publisher