Highly Targeted Ransomware SamSam Earned Its Creator $6 Million

A ransomware threat called SamSam that’s known for crippling IT systems in hospitals, schools and government organizations has made many more victims than previously believed.

Security researchers from Sophos worked with cryptocurrency tracking firm Neutrino to follow ransom payments associated with SamSam and found that they totaled nearly $6 million, six times more than previous estimates.

AppSec/API Security 2022

The company has also identified many more victims who paid the ransom than were previously known—233—half of which were companies from the private sector. This shows that SamSam is not only targeting the healthcare, government and the education sectors, where many of the infections with this threat had been reported until now.

“Based on the much larger number of victims now known, it seems that far from being unaffected, the private sector has actually borne the brunt of SamSam,” the Sophos researchers said in a blog post. “Victims in that sector have simply been far more reluctant to come forward.”

SamSam appeared in 2015 and is still active today. However, unlike other ransomware threats that are distributed indiscriminately through mass spam campaigns, the SamSam victims are more carefully selected. This also explains the much higher ransom demands associated with SamSam attacks, which typically are in the tens of thousands of dollars.

The SamSam creator, which Sophos believes to be a lone individual, typically gains access to victims’ networks by using brute-force tools to guess weak RDP (Remote Desktop Protocol) credentials. The attacks are timed to happen during the night depending on where each victim is located, showing a high level of involvement from the hacker.

Moreover, the malware doesn’t have worming capabilities that allow it to spread itself across local networks by exploiting vulnerabilities. Rather, the attacker connects to the compromised systems and performs lateral movement manually, adapting his tools and techniques to each specific environment.

“By working in this way, the attacker can try over and over again to work around defences and gain the access they want,” the Sophos researchers said. “If the SamSam attacker is on your network they will likely stay on it until they succeed, unless they’re kicked off.”

The hacker uses various tools to gain domain admin privileges, which grants him access to most machines on compromised networks. The ransomware routine is only executed after the malware has been copied to a large number of systems, to maximize the attack’s impact.

This tactic usually leaves victim organizations in an inability to perform their day-to-day operations and, faced with a lengthy recovery process that could take days or weeks, makes them more likely to pay the ransom. This is also why the SamSam attacker has been able to successfully extract payments of up to $50,000 from each victim, vastly more than other ransomware groups.

Unlike most other ransomware programs, which typically encrypt documents, images and work data, SamSam also targets application configuration files. This means that even if work files are restored from backups, the applications installed on an affected system will fail to work properly.

“Thanks to an improved understanding of the way that SamSam targets files in the victim’s operating system, Sophos now recommends that backing up your business data is not enough,” the Sophos researchers said. “To recover swiftly from a SamSam attack, organisations need more than a plan for restoring data – they need a comprehensive plan for rebuilding machines.”

The threat actor behind SamSam is certainly skilled and their attacks have displayed a progression in sophistication and awareness over the past two years, the researchers warn. The spelling and grammar seen in ransom notes suggest that the attacker is semi-proficient in English, but still frequently make mistakes.

Lucian Constantin

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin