SamSam Ransomware’s $6 Million Payment Haul: Sophos Analysis
No one yet knows the identity of the shadowy SamSam ransomware kidnappers, said to be responsible for pilfering some $6 million since January, 2016 from hospitals, schools, municipal government, even a charity, and private businesses.
But security specialist Sophos has put in six months of work to compile what it believes is a thorough examination of the SamSam ransomware, its attack methods and subsequent demands, in a new report SamSam: The (Almost) Six Million Dollar Malware.
From the Sophos report, it can be said that the SamSam’ers are different from other cyber attackers both philosophically and operationally:
- They aren’t attention seeks, declining to tout their hijackings on the web and leaving as few traces as possible to avoid detection and uncloak their anonymity, which on its own serves as a potent weapon.
- Their encryption attacks are timed for the middle of the night when their victims are less likely to notice anything amiss.
- The attackers first use brute force to take command of a single machine on the network and then aim to overtake a domain administrator machine. There’s no one-sey, two-sey attacks: The payload is distributed to every workstation on a local network domain and executed simultaneously.
- The hackers launch the attacks using open source and commercial network administrator tools. The victim’s most valuable data is encrypted first.
Most of SamSam’s dirty work is done in the U.S., which has 74 percent of the overall victim population. Others are the U.K. at eight percent, Belgium at six percent, Canada at five percent and Australia at two percent. The remainder is one percent each for India, the UAE, Demark, Estonia and the Netherlands.
Here are some other key findings from the report:
- The largest ransom paid by an individual victim, so far, is $64,000, a large sum when compared to other ransomware.
- The private sector comprises about half of SamSam’s victims.
- Unlike most other ransomware, SamSam encrypts not only document files, images, and other personal or work data, but also configuration and data files required to run applications.
- Victims whose backup strategy only protects the user’s documents and files won’t be able to recover a machine without re-imaging it first.
- Every subsequent attack shows a progression in sophistication and an increasing awareness by the entity controlling SamSam of operational security.
The cost to victims has climbed dramatically, and the tempo of attacks shows no sign of slowdown, Sophos said. “About one in four victims, according to our research, have paid the ransom rather than trying to recover from backups,” wrote Andrew Brandt, a principal researcher for Sophos,” in a blog post. “We find out about new victims almost every week,” he said.
There’s some signs that the SamSam’ers have an ironic side to them. Immediately ahead of its report, Sophos said, the attackers launched a new offensive aimed at undermining the vendor’s reputation. It seems like the latest version of files locked down by the malicious code now has a .sophos extension, just for good measure.
“Yeah, it’s a cute distraction, but it also says something important: We must be giving the right person or people a particularly hard time if they’re so irritated by us that they feel compelled to call us out by name. Giving bad guys a bad day makes me feel warm and fuzzy inside,” wrote Brandt.