The cyber gang behind the SamSam ransomware have netted almost $6m since they started distributing the file-locking malware in late 2015 -- and their profits are still on the rise, netting around an additional $300,000 each month.
SamSam is different to other forms of ransomware; while other variants are spammed out to potential victims by email, SamSam attacks are thought to begin with a remote desktop protocol (RDP) compromise -- either by brute force attacks, or credentials purchased on the dark web.
SamSam requires a more hands-on technique than other forms of ransomware, but the time and effort is apparently paying off for the crooks -- researchers at Sophos have analysed payments made into bitcoin wallets owned by the attackers and have found they've received over $5.9m and counting.
The number of payments received per month throughout 2018 has peaked at 10, indicating a level of precision by the attackers.
The attacks are effective, as a significant percentage of victims are choosing to pay the ransom, because they don't see any other way out because of the devastating nature of the attack.
"SamSam is very destructive. They purposefully go out of their way to find your backups first and delete them. The ransomware itself has a priority order of what it will encrypt, so it'll go to your data first, but given enough time, it encrypts everything," Peter Mackenzie, global malware escalations manager at Sophos told ZDNet.
Even if victims do opt to pay the ransom, that doesn't mark the end of problems, because the attackers don't decrypt files on all the affected computers at once -- the affected organisation needs to do it manually.
"The response from the attacker, that's generally quick: you'll get a Zip file with all the private keys you need, instructions and a tool to decrypt them. But you'll need to push that tool out onto all of the machines that have been encrypted and run it locally on each one. So the actual recovery time can be very slow," said Mackenzie.
Those behind SamSam continue to update their malware in an effort to make it more potent and more difficult to analyse. In a move that's likely a taunt directed towards researchers at Sophos investigating the attacks, the file SamSam uses to encrypt data now has a .sophos extension.
It's still unknown who the criminal group behind the attacks is, but whoever they are, they don't show any signs of quitting yet, given the lucrative nature of the attacks.
"The amount they're making per month on average is going up -- at the moment it's around $300,000 a month. The fact is they haven't been caught; they're enjoying what they're doing, they're constantly working on it, so from their view, why stop?" said MacKenzie.
With the majority of attacks coming via RDP, Sophos recommends that organisations restrict access to port 3389 to those who absolutely need it, therefore minimizing the potential vectors of attacks.
Organisations should also ensure they're not using default passwords and are employing multi-factor authentication, especially for sensitive internal systems, in order to prevent SamSam from being able to move itself across networks in the case it does find a way in.