This destructive ransomware has made crooks $6m by encrypting data and backups

Attackers behind destructive SamSam ransomware show no signs of giving up - and they're now taking $300,000 a month in ransom from victims.
Written by Danny Palmer, Senior Writer

The cyber gang behind the SamSam ransomware have netted almost $6m since they started distributing the file-locking malware in late 2015 -- and their profits are still on the rise, netting around an additional $300,000 each month.

SamSam is different to other forms of ransomware; while other variants are spammed out to potential victims by email, SamSam attacks are thought to begin with a remote desktop protocol (RDP) compromise -- either by brute force attacks, or credentials purchased on the dark web.

Once inside a compromised machine, the attackers seek out vulnerabilities which they exploit to spread across an organisation's network before encrypting files.

With a stranglehold on an entire network, the attackers then demand a huge bitcoin ransom payment in exchange for the decryption keys -- the payments now regularly reach over $50,000.

SamSam requires a more hands-on technique than other forms of ransomware, but the time and effort is apparently paying off for the crooks -- researchers at Sophos have analysed payments made into bitcoin wallets owned by the attackers and have found they've received over $5.9m and counting.

The number of payments received per month throughout 2018 has peaked at 10, indicating a level of precision by the attackers.

The high profile SamSam attacks have tended to affect healthcare and government -- the ransomware against the city of Atlanta was SamSam, but the ransomware doesn't specifically target these sectors.

Sophos state that half of the attacks have been against private sector targets, with a quarter against healthcare and 13 percent against government.

But SamSam doesn't seek out any sector in particular, those behind it just attack any vulnerable network of medium to large organisations they can -- with three quarters of victims in the US.

SEE: Ransomware: An executive guide to one of the biggest menaces on the web

The attacks are effective, as a significant percentage of victims are choosing to pay the ransom, because they don't see any other way out because of the devastating nature of the attack.

"SamSam is very destructive. They purposefully go out of their way to find your backups first and delete them. The ransomware itself has a priority order of what it will encrypt, so it'll go to your data first, but given enough time, it encrypts everything," Peter Mackenzie, global malware escalations manager at Sophos told ZDNet.

Even if victims do opt to pay the ransom, that doesn't mark the end of problems, because the attackers don't decrypt files on all the affected computers at once -- the affected organisation needs to do it manually.


SamSam ransomware note.

Image: Sophos

"The response from the attacker, that's generally quick: you'll get a Zip file with all the private keys you need, instructions and a tool to decrypt them. But you'll need to push that tool out onto all of the machines that have been encrypted and run it locally on each one. So the actual recovery time can be very slow," said Mackenzie.

Those behind SamSam continue to update their malware in an effort to make it more potent and more difficult to analyse. In a move that's likely a taunt directed towards researchers at Sophos investigating the attacks, the file SamSam uses to encrypt data now has a .sophos extension.

SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

It's still unknown who the criminal group behind the attacks is, but whoever they are, they don't show any signs of quitting yet, given the lucrative nature of the attacks.

"The amount they're making per month on average is going up -- at the moment it's around $300,000 a month. The fact is they haven't been caught; they're enjoying what they're doing, they're constantly working on it, so from their view, why stop?" said MacKenzie.

With the majority of attacks coming via RDP, Sophos recommends that organisations restrict access to port 3389 to those who absolutely need it, therefore minimizing the potential vectors of attacks.

Organisations should also ensure they're not using default passwords and are employing multi-factor authentication, especially for sensitive internal systems, in order to prevent SamSam from being able to move itself across networks in the case it does find a way in.

Finally, Sophos recommends creating backups which are offline and offsite, so if the worst happens, the data can be recovered without giving into ransom demands.

"This attack can be stopped. And in many of the occasions we've seen where it wasn't stopped, it's just a lack of basic security common practices that were missing," said Mackenzie.


Editorial standards