Since its emergence in December 2015, SamSam ransomware has evolved into a lucrative venture for cybercriminals, extracting nearly $6 million from its victims. Recent findings from Sophos reveal that the operators of SamSam have garnered over $5.9 million, drawn from 233 targeted victims, with an escalating profit trend averaging approximately $300,000 per month.
Researchers have meticulously tracked the Bitcoin wallets cited in ransom notes associated with various versions of the SamSam ransomware. A report by Sophos indicates that they have identified 157 distinct addresses that have received ransom payments. In addition, 89 addresses have been used in ransom communication yet remain unmonetized as of now.
SamSam notably distinguishes itself from other ransomware variants, primarily due to its distribution method. Instead of employing mass email spam campaigns, the attackers meticulously select their victims. Initial access is typically gained by compromising the Remote Desktop Protocol (RDP) on targeted systems, often via brute-force methods or utilizing stolen credentials sourced from the dark web. Following this infiltration, attackers strategically deploy the ransomware across the network, exploiting vulnerabilities in other systems.
Contrasting with ransomware models such as WannaCry and NotPetya, which utilize self-propagating characteristics, SamSam does not autonomously spread. Its reliance on human intervention for distribution makes it a more controlled form of attack. Once firmly established within a network, it encrypts critical data and demands hefty ransom payments, often exceeding $50,000 in Bitcoin for the decryption keys necessary to restore access to affected systems.
A noteworthy feature of SamSam is its prioritization of data encryption. The ransomware employs a multi-tiered system to encrypt the most valuable information first while subsequently encrypting other non-essential files. This method not only minimizes the risk of attracting unwanted attention due to uncontrolled spreading but also allows the attackers to selectively target organizations, knowing precisely which computers have been affected.
Large organizations have become the predominant targets of SamSam attacks, with significant incidents affecting municipal government entities, transportation departments, hospitals, and educational institutions such as Mississippi Valley State University. The largest recorded ransom paid by a single victim has reached $64,000, reflecting the high stakes involved.
Data indicates that 74 percent of identified victim organizations reside in the United States, with others distributed across Canada, the UK, and the Middle East. As cyber threats continue to evolve, effective preventative measures are paramount. Organizations are advised to implement regular backup strategies, utilize multi-factor authentication, limit access to RDP protocols, and ensure systems and software remain consistently updated.
In analyzing potential tactics associated with SamSam through the MITRE ATT&CK framework, key adversary techniques are evident, including initial access via RDP exploitation, privilege escalation for broader network access, and the use of command and control infrastructure for managing infected systems. Understanding these tactics is crucial for organizations as they seek to bolster their cybersecurity postures against such formidable threats.
