SamSam, an infamous ransomware virus, has earned its creators Bitcoins worth $5.9 million since 2015 – significantly above previously estimated $850,000, according to a detailed report issued by the UK cyber security experts Sophos. Still, little is known about those behind the operation.
Sophos claims that 233 payments were made since 2015 when SamSam was created. The vast majority of affected organizations (74%) are based in the US. Other countries with vastly lower numbers include the UK, Belgium, Canada, Australia, India, the United Arab Emirates and more. Half of the targeted computers belonged to private corporations, followed by healthcare, government and educational institutions.
Some of the high-profile targets mentioned in the report are Adams Memorial Hospital, Atlanta’s local government, the Colorado Department of Transportation and the Mississippi Valley State University.
Unlike most other similar malicious software, SamSam does not send thousands of emails, hoping that a few will eventually be opened, but its creators choose their victims deliberately. Originally, an issue in the JBOSS system was used to infiltrate specific networks, but once the hole was patched, they had to revert to other means.
The dark web was allegedly used as a source of information for vulnerable servers, which were targeted by brute force attacks. The hacker or hackers behind SamSam then gradually increased their privileges to the point of being domain administrators. Afterward, specific PCs were targeted.
Once the required access was gained, SamSam was let loose in times of low activity, usually nights or weekends. The affected machines were later encrypted, and the only accessible file was with the instructions for payment.
A somewhat unique feature is that system files were also targeted (instead of only the user-created ones), which makes the common back-up approach not that effective. The report goes further, to explain various upgrades to the ransomware:
“Since the end of 2015, SamSam has evolved to focus on two main objectives: first, to improve the deployment method so that the impact on victims is greater; second, to make the analysis of the attacks harder, further helping to keep the attacker’s identity a secret,” the report reads.
Sophos teamed up with Neutrino, a firm specialized in tracking blockchain flows to attempt tracking down SamSam’s operators. However, revealing the identity of people behind the ransomware proved impossible as they are using several methods to cover up, including converting to privacy-focused altcoins and using coin mixers.