SamSam Ransomware Nears $6M Mark in Ill-Gotten Gains

For the past three years, the person or persons behind the SamSam ransomware have targeted hospitals, healthcare organizations, as well as the city of Atlanta, and have collected nearly $6 million in illicit funds, according to research from Sophos.

Scott Ferguson, Managing Editor, Light Reading

July 31, 2018

5 Min Read

For the past three years, the group behind SamSam ransomware has targeted their attacks at hospitals and healthcare organizations, as well as public entities such as the city of Atlanta, and has collected nearly $6 million in illicit gains in doing so, according to new research from Sophos.

In the past seven months, the group behind SamSam has averaged about $300,000 per month in ransom, with the highest single payout topping $64,000.

These and other findings are part of a report Sophos released on Tuesday that details the methods behind this particular ransomware attack, and some of the motivations of the person or persons behind it.

Although SamSam has been associated with attacks on healthcare and hospitals, as well as public entities, Sophos researchers believe that other organizations have also been targeted, but have not been as public about the attacks. The report finds that about half the number of victims have remained silent.

SamSam Timeline\r\n(Source: Sophos)\r\n

SamSam Timeline
\r\n(Source: Sophos)\r\n

"From the victims we have identified 50% are in the private sector, with none of them going public. We do not believe this is specifically targeted against healthcare," Peter Mackenzie, the Global Malware Escalation Manager at Sophos, wrote in an email to Security Now.

What makes SamSam different than other types of well-known ransomware, such as WannaCry, is that it's carefully deployed at specific targets instead of being used in "drive-by attacks" meant to cause major disruptions. Also, the underlying software in SamSam is not based on EternalBlue exploits, but uses more conventional open source tools that have been manipulated in order to steal passwords or move the ransomware around the network. (See WannaCry: How the Notorious Worm Changed Ransomware.)

"This is not related to EternalBlue or any of the other vulnerabilities disclosed with it," Mackenzie wrote. "We believe that the majority of the malicious files were created by the attacker themselves, while also utilizing publicly available hacking tools such as Mimikatz. It is important to understand that SamSam does not spread like WannaCry (it is not a worm/virus) instead it is deployed like a legitimate application."

The July 31 Sophos report finds that a SamSam attack starts with a Remote Desktop compromise of a specific machine within the enterprise network. The attacker has also deployed exploits at vulnerable machines to perform remote code execution.

Here, Sophos finds that the group behind SamSam uses more purposeful and targeted methods to attack networks. The researchers found that attacks usually begin in the middle of the night when system admins and the security team are asleep or off-duty and not paying attention to the network.

What also makes SamSam particularly difficult to stop is that once inside the network the malware not only encrypts document files, images and other data that is essential to the running of the business, but also the platforms that run the applications, such as Microsoft Office.

Additionally, SamSam contains a hardcoded list of file extensions that target specific files. The malware will then encrypt those files before any others, which shows the group targets specific victims. Over the years, those behind SamSam have also gotten better at avoiding endpoint security.

(Source: Sophos)\r\n

(Source: Sophos)\r\n

Once the ransomware starts and the files are encrypted, the victim is directed to a "payment site" on the Dark Web, where the person or persons behind the attack demand ransom in the form of Bitcoin. The cryptocurrency is later laundered to help the attackers hide their gains.

These methods have netted about $5.9 million in Bitcoin since SamSam was first spotted in the wild in 2015, according to Sophos's calculations and research.

Zero in on the most attractive 5G NR deployment strategies, and take a look ahead to later technology developments and service innovations. Join us for the Deployment Strategies for 5G NR breakfast workshop in LA at MWCA on September 12. Register now to learn from and network with industry experts – communications service providers get in free!

In his email, Mackenzie noted that the group behind SamSam is either a single person or a very small group of attackers. It appears the group are English speakers based on ransom messages, and that about 74% of attacks have occurred in the US, although organizations in the UK, Canada and Middle East have also been targeted.

"We believe this to be one person or a small group. Due to the similarity in all the attacks, the language used on ransom notes, help files and communication with the victims. As well as the fact that they have managed to stay anonymous for 2 and a half years," Mackenzie wrote.

Reports about SamSam have surfaced on and off again for the last three years, although the ransomware was recently in the news with an attack against Atlanta, which has cost the city over $2 million so far. (See Unknown Document 744903.)

The group behind SamSam might have also targeted Baltimore's 911 system earlier this year, but Sophos could not confirm that specific attack. (See Atlanta, Baltimore Ransomware Attacks Show Government Agencies' Vulnerabilities.)

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Read more about:

Security Now

About the Author

Scott Ferguson

Managing Editor, Light Reading

Prior to joining Enterprise Cloud News, he was director of audience development for InformationWeek, where he oversaw the publications' newsletters, editorial content, email and content marketing initiatives. Before that, he served as editor-in-chief of eWEEK, overseeing both the website and the print edition of the magazine. For more than a decade, Scott has covered the IT enterprise industry with a focus on cloud computing, datacenter technologies, virtualization, IoT and microprocessors, as well as PCs and mobile. Before covering tech, he was a staff writer at the Asbury Park Press and the Herald News, both located in New Jersey. Scott has degrees in journalism and history from William Paterson University, and is based in Greater New York.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights