The SamSam ransomware has earned its creator(s) more than $5.9 million in ransom payments since late 2015, according to the most comprehensive report ever published on SamSam’s activity, containing information since the ransomware’s launch in late 2015 and up to attacks that have happened earlier this month.
Researchers at Sophos have tracked Bitcoin addresses owned by the attackers mentioned on ransom notes of each SamSam version and found the attackers have received more than $5.9 million from just 233 victims, and their profits are still on the rise, netting around $300,000 per month.
SamSam has remained largely the same
The reason for this huge ransom payment is because of the way the SamSam group operates. SamSam has always been different from most ransomware threats since the moment it first appeared in late 2015.
Its creators never used mass-distribution tactics such as email spam, exploit kits (malvertising), or fake update sites/software. Instead, the SamSam crew targeted one victim at a time. Initially, they used a known vulnerability in JBoss servers to target companies with Internet-accessible and unpatched JBoss installs. As JBoss owners patched their servers and it became harder to find new victims, the group moved to search the Internet for networks with exposed RDP connections, and mounting brute-force attacks against exposed endpoints, in the hopes of finding at least one machine that used weak credentials.
Once inside a network, the SamSam crew would spend as much time as it could scanning the network, mapping its layout, and using various legitimate tools such as PsExec to expand their access to local servers from where they could infect other workstations. Once they had the access they needed, SamSam operators would wait until the weekend or nighttime to manually deploy the SamSam binary via the server to all connected hosts.
How does SamSam Works?
What makes SamSam stand out from other forms of ransomware is that SamSam is not distributed in an unplanned way via spam email campaigns; instead, attackers choose potential targets and infect systems manually.
Attackers first compromise the RDP on a targeted system—either by conducting brute force attack or using stolen credentials purchased from the dark web—and then attempt to strategically deploy SamSam ransomware throughout the network by exploiting vulnerabilities in other systems.
Unlike other well-known ransomware like WannaCry and NotPetya, SamSam does not include any worm-like or virus capabilities to spread by itself. Instead, the ransomware relies on the human attacker to spread it.
Once they’re on the entire network, the ransomware then encrypts the system’s data and demand a huge ransom payment (usually more than $50,000 which is much higher than normal) in Bitcoin in exchange for the decryption keys.
What was the main goal of SamSam?
So far, the largest ransom paid by an individual victim is valued at $64,000—a significantly large amount compared to most ransomware families.
Since the SamSam victims do not see any other option to restore their encrypted files, a significant percentage of victims are paying the ransom, making the attack more effective.
According to Sophos, 74 percent of the known victim organizations identified by the security firm is based in the United States, and others are distributed in Canada, the UK, and the Middle East.
To protect against this threat, users and organizations are recommended to keep regular backups, use multi-factor authentication, restrict access to RDP(on port 3389), and always keep systems and software up-to-date.