Report: The SamSam Ransomware Has Extorted £4.5 Million, and One Person Might Be Behind It

By Tom McKay on at

A recent review by British cybersecurity firm Sophos in partnership with cryptocurrency firm Neutrino has concluded that the crew—or possibly one extremely proficient black hat hacker—behind the SamSam ransomware attacks have rolled in at least $5.9 million (£4.5 million) in ransom payments, according to BleepingComputer.

Ransomware works by encrypting a targeted system and demanding payments, usually in the form of cryptocurrency, to rescue the trapped data. The SamSam variant emerged in 2015, and the operator or operators behind it typically targeted one victim at a time rather than used mass-distribution methods like the hackers behind WannaCry. In other words, they’re deliberate, coordinated attacks on pre-selected targets.

One of SamSam’s most infamous victims was the city of Atlanta in the US state of Georgia, which spent weeks recovering from an attack that spread throughout numerous municipal computer networks. Others have included hospitals, electronic health records company AllScripts, and even the municipality of Farmington, New Mexico. More recently, per PC Mag, a SamSam attack hit clinical lab testing giant LabCorp.

At first, BleepingComputer wrote, the developers “used a known vulnerability in JBoss servers to target companies with Internet-accessible and unpatched JBoss installs.” After that security flaw began to be patched out of existence, they moved to other methods like “searching the Internet for networks with exposed RDP [Remote Desktop Protocol] connections and mounting brute-force attacks against exposed endpoints,” usually taking the time to map out computer networks and obtain administrator-level control before finally triggering the trap during downtime like nights and weekends. SamSam cleverly offers various payment options, including lower tiers that only allow for one or several machines to be decrypted.

According to BleepingComputer, the proceeds from an estimated 233 victims hit somewhere around $5.9 million for an average of over $25,000 (£19,113) a successful attack—dwarfing previous estimates that the group’s haul was around $850,000 (£649,846):

Researchers say that based on the data of these 86 victims, they were able to determine that around three-quarters of those who paid were located in the US, with some scattered victims located in the UK, Belgium, and Canada.

Half of the victims who paid were private sector companies, while around a quarter were healthcare orgs, followed by 13% of victims being government agencies, and around 11% being institutions in the education sector.

The Sophos team says it identified 157 Bitcoin addresses used in SamSam ransom notes that received payments, and another 88 who did not receive any money.

The unknown party behind the scheme also grew more cautious over time, with each of the malware’s three major revisions adding new protection measures like hex encoding, garbage code to fool automated detection systems, and an encrypted payload that required a password to activate.

$5.9 million is a lot of money, and according to Sophos, there are signs that SamSam was developed by a lone individual who raked in the entire haul by themselves. Regular grammatical errors pop up throughout the code that appear to have been made by the same individual with an incomplete proficiency in the English language. From the report:

The consistency of language across ransom notes, payment sites, and sample files,
combined with how their criminal knowledge appears to have developed over time,
suggests that the attacker is an individual working alone. This belief is further supported by
the attacker’s ability not to leak information and to remain anonymous, a task made more
difficult when multiple people are involved.

The attacker’s language, spelling and grammar indicates that they are semi-proficient in English but they frequently make mistakes.

At the same time SamSam was getting more features designed to defeat detection measures, whoever is behind it got greedier: Sophos wrote that the average amount demanded to unlock machines has ballooned over time to roughly $50,000 (£38,226), “vastly more than the three figure sums typical of untargeted ransomware attacks.” One haul took in $64,000 (£48,929).

Graphic: Sophos

Graphic: Sophos

Sophos wrote in the report that “medium- to large public sector organisations in healthcare, education, and government” comprised about 50 per cent of the attacks. The rest were in the private sector, which has “remained uncharacteristically quiet” about the attacks—one might guess because they were embarrassed about the state of their security.

Sophos has recommendations about how to secure systems from whoever the malware’s mysterious creator is in both the 47-page report and a separate blog post. [BleepingComputer/Sophos]