Sophos reveals SamSam, the almost Six Million Dollar Ransomware

No photo availableCIO Africa authorByJeanette Oloo
2 min read

SamSam ransomware has affected far more victims than previously thought since appearing appeared in the wild in December, 2015 raising…

sophos-56a0193b3df78cafdaa0156d

SamSam ransomware has affected far more victims than previously thought since appearing appeared in the wild in December, 2015 raising vastly more in ransom demands – almost $6 million states Sophos.

What sets SamSam apart from other ransomware is its use in targeted attacks by a skilled team or individual, who break into a victim’s network, surveils it and then runs the malware manually. The attack method is manual, and more cat burglar than smash-and-grab.

“Unlike other ransomware, SamSam encrypts not only document files, images, and other personal or work data, but also configuration and data files required to run applications. Victims whose backup strategy only protects the user’s documents and files won’t be able to recover a machine without reimaging it first,” Sophos stated.

The attacks are tailored to cause maximum damage and ransom demands are measured in the tens of thousands of dollars.

“Payment is made by victims in bitcoin via a custom “payment site” on the dark web that is at a unique address for each victim organization. The SamSam attacker has received ransom payments as high as $64,000, based on analysis of ransom payments to the Bitcoin wallets tracked,” Sophos stated.

By tracking Bitcoin addresses supplied on ransom notes and sample files and by working with the firm Neutrino, Sophos has calculated that SamSam has earned its creator(s) more than US$5.9 million since late, 2015.

Sophos estimates that the SamSam attacker earned an average of a hair under US$300,000* per month in 2018 with the largest single ransom received by the SamSam attacker was valued at $64,478* (at the time of payment)

Sophos has determined that 74% of the known victims are based in the United States. Other regions known to have suffered attacks include Canada, the UK, and the Middle East.

SamSam is a particularly thorough encryption tool, rendering not only work data files unusable but any program that isn’t essential to the operation of a Windows computer, most of which are not routinely backed up.

Recovery may require reimaging and/or reinstalling software as well as restoring backups. The attacker is very good at covering their tracks and appears to be growing increasingly paranoid (or experienced) as time passes, gradually adding more security features into his tools and websites.

Leave a Reply

Your email address will not be published.

Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co