(Image by Pete Linforth/Pixabay)

Security firm Sophos took a deeper look into the SamSam ransomware and found out that its victims have paid almost $6 million in ransom demands since it began spreading since 2015.

SamSam is considered an advanced ransomware operated by “skilled team or individual.” Unlike other ransomware with wormlike behavior and spread remotely, this is very targeted and operated manually. The criminal breaks into the victim’s networks through “RDP (Remote Desktop Protocol) by using software like nlbrute to successfully guess weak passwords.”

It was widely believed that it’s been targeting the education, government, and healthcare sectors but the research showed otherwise.

Maximum damage

According to Sophos, “The attacks are tailored to cause maximum damage and ransom demands are measured in the tens of thousands of dollars,” which distinguishes it from other ransomware that “spread in large, noisy, and untargeted spam campaigns sent to thousands, or even hundreds of thousands, of people. They use simple techniques to infect victims and aim to raise money through large numbers of relatively small ransoms of perhaps a few hundred dollars each.”

There were little cases to study because SamSam doesn’t attack as often as the others so security officers didn’t have the opportunity to analyze it. Sophos says its attacks “occur at a rate of about one per day.”

Why is it labeled as a stealthy ransomware? It mimics itself into legitimate software applications. The victims wouldn’t know that what they are downloading is ransomware.

Sophos worked with cryptocurrency monitoring organization Neutrino in following the trails of the money and found out that a large chunk of SamSam’s victims come from the private sector.

Almost $6 million

This trail also led to the discovery of the amount paid in ransom payments and the researchers arrived at $5.9 million.

Sophos also noted the meticulous operation of criminals who also take note of the victim’s time zone. The attackers do their dirty job at nighttime. There is also the reason why this is an expensive ransomware. Humans do the job manually and persistently attack a target until they are able to break in. It’s a lot of work and a lot of time to spare.

Sophos explained: Having gained access to a network, the SamSam operator uses a variety of tools to escalate their privileges to the level of Domain Admin. Then they scan the network for valuable targets and deploy and execute the malware as any self-respecting sysadmin might, using utilities such as PsExec or PaExec. Once it has been spread far and wide, the many copies of the ransomware are triggered centrally, starting within seconds of each other. On each infected machine, files are encrypted in a way that’s designed to cause the most damage in the shortest time.

The attackers would leave a note for victims to contact them through a Dark Web where they are also told to make payments. From a few hundred dollars, the ransom demands have increased to $50,000 making it one of the most ambitious ransomware to date.