SamSam Ransomware Attackers Rake In Nearly $6m

Matthew Broersma,
ransomware

The gang behind SamSam, which hit the city of Atlanta in March, carries out its attacks through manual break-ins – and shows no sign of slowing down

The enterprise-focused SamSam ransomware has netted nearly $6 million (£4.6m) since it was launched in late 2015, with profits continuing to rise at a rate of $300,000 a month, according to a new study by Sophos.

The computer security firm hasn’t been able to determine who is behind the malware, but found that all the attacks using it were carried out manually – a difference from other ransomware strains, which generally spread via email spam.

SamSam has gained public notoriety for its use in attacks on hospitals and city governments, such as an attack on Atlanta earlier this year.

But such organisations form only a small proportion of the incidents linked to SamSam, half of which have involved targets in the private sector.

Backups destroyed

Only one-quarter of attacks targeted healthcare, with another 13 percent against governments, Sophos said in a new report.

The criminals behind SamSam appear to target any vulnerable network belonging to a medium to large organisation, with three-quarters of the targets to date located in the US, and others in Canada, the UK and the Middle East.

After breaking in, the attackers wait until the middle of the night in the target’s time zone to launch the encryption process.

The attackers are unusually thorough, deliberately seeking out and destroying backups, and encrypting files in such a way that it’s often necessary to reinstall or reimage entire systems from scratch.

Sophos worked with a Bitcoin specialist to track wallets associated with SamSam and arrive at the malware’s total revenue figure. The investigation found that the SamSam hackers were continually increasing ransom amounts, with ransoms as high as $64,000 recorded.

Slow recovery

“Many victims found that they could not recover sufficiently or quickly enough to ensure business continuity on their own, and reluctantly paid the ransom,” Sophos said.

The company found that the attackers are continually improving SamSam, adding more security features into new versions of the tools and websites used in the attacks.

Even if a ransom is paid, recovery can be a slow process, since the attackers only supply decryption keys and tools, leaving users to decode the affected systems themselves.

The attacks can be prevented, however, Sophos said, with techniques such as blocking the port associated with the RDP protocol used in most SamSam incidents.

Organisations should make sure they’re also avoiding using default passwords and are employing multi-factor authentication, Sophos said, adding that offsite, offline backups can also help.