SamSam Ransomware Inventor Has Made $6 Million in Ransom Payments

August 10, 2018


SamSam ransomware has been used in several attacks on healthcare suppliers and educational organizations over the previous two and a half years. Contrary to several other ransomware variations, the ransom payments are substantially higher, usually of the order of tens of thousands of dollars.

What also makes SamSam ransomware different is its way of placement. Although several ransomware variations are installed as a consequence of workers opening infected electronic mail attachments, SamSam ransomware is installed by hand after access to a system has been gained.

Access is usually gained through brute force RDP attacks, the misuse of weaknesses, or the use of stolen identifications. While data theft is possible as network access is achieved, the attacker only appears to be interested in encrypting files on as many computers as possible.

SamSam ransomware was utilized in the attacks on the electronic health record supplier AllScripts, LabCorp, Cass Regional Medical Center, Allied Physicians of Michiana, Adams Memorial Hospital, and Hancock Health. SamSam was also utilized in the ransomware attack on the City of Atlanta. 26% of all SamSam ransomware attacks have affected healthcare businesses with over three-quarters of sufferers based in the United States.

In the 32 months since the ransomware was first released, the inventor has supposedly made nearly $6 million in ransom payments as per cybersecurity company Sophos, which has been following Bitcoin ransom payments with the assistance of the tracking company Neutrino. As per Sophos, 223 sufferers have paid the ransom to get the keys to unlock encrypted data. Earlier approximations of the amount earned from SamSam ransomware infections were about $1 million. There have been far more sufferers paying than was originally thought. A lot of the attacks have not been announced publicly.

It was earlier supposed that the healthcare industry, government, and education sectors were aimed, with the private sector escaping comparatively unharmed but that seems not to be the case. As per Sophos, “Based on the much higher number of sufferers now known, it appears that away from being unaffected, the private sector has actually tolerated the effect of SamSam.”

Sophos thinks one person is behind the ransomware and all the attacks. That person is obviously committed and skilled. Attacks have happened at a rate of about one per day and they commonly happen in the middle of the night when the chance of an attack being noticed before file encryption happens is much shorter.

Contrary to WannaCry, the attacker manually moves horizontally and fits the malware using standard tools like PaExec or PsExec. Only when the malware has been fitted on all weak appliances is the encryption procedure started.

Although the FBI doesn’t endorse paying ransom payments, it’s clear why the payments are made. If practical backups don’t exist, businesses have little option except paying the ransom. The ransom payment, although high, is usually far lower than the cost of alleviation. Ransom amounts are often about $50,000. By comparison, the SamSam ransomware attack on the City of Atlanta has supposedly cost $19 million to alleviate.

Among the key problems with retrieval from a SamSam ransomware attack without paying the ransom is this variation not just encrypts data but also application configuration files. Even if data are recovered, applications fail to work properly. Recovery not just means restoring files from backups. Machines must be reconstructed. Sophos suggests that businesses create a plan that will empower them to do this swiftly to restrict the cost of an attack.

Good password practices and swift patching are necessary. Backups must be made and stored offline and offsite, weakness scans must be carried out regularly, multi-factor authentication must be applied, and RDP must be disabled. If RDP is needed, connections should only ever be allowed through a VPN.