SamSam ransomware collected almost $6 million from ransom payments

People behind SamSam ransomware have extorted millions from various corporates

SamSam ransomware attacks have raised nearly $6 million for their owners. The latest victim - Labcorp.

According to the latest Sophos report,^[1] since December 2015, SamSam ransomware had extorted almost $6 million from its victims. All this money had been collected only from 233 victims that included hospitals and other governmental authorities. It is also known that criminals behind this virus had been gaining around $300000 per month.

SamSam ransomware^[2] works just like any other cryptovirus – it targets the system via an infected email message, encrypts victim's files or server and demands the ransom. To recover encrypted data, the victim is asked to use Bitcoin or similar cryptocurrency which should be sent to the given crypto wallet.

What makes this ransomware different from other ones is the ransom amount. So far, the biggest payment victim has paid for recovering after the SamSam attack is $64000. It is quite an achievement, especially when having in mind that a typical ransom payment is from $100 to $5000. Also, it is almost obvious that the developers of this virus are mainly targeting big organizations, such as hospitals^[3], educational institutions, governmental authorities and similar representatives of the public sector.

However, this ransomware works in a slightly different manner as it has no self-spreading feature. The virus is spread by the human attacker. After choosing a potential target, hackers infect the system by compromising RDP^[4]. It is done either by conducting brute force attack or by using stolen credentials. Also, they use system vulnerabilities to spread the virus further. Once installed on the entire network, the virus starts the encryption procedure. After encrypting the whole network, the virus requires sending around $30000. That explains why hackers hiding behind this malware needed only 200 payments to collect $5 million.

Big companies paid big money for ransomware developers

According to researchers, most of the victims are from the United States. However, the UK, Canada, and Belgium have also been affected. Half of the victims who paid the ransom belong to the private sector. The next big part of victims is hailing from the health sector, then – government representatives and education sector. It is more than obvious that each of these corporates has been pre-selected very carefully by the attackers themselves.

It took two weeks and $2.6 M for the city of Atlanta^[5] to recover from SamSam ransomware attack on March 2018. The virus multiplied throughout computer networks. City's representatives haven't revealed whether they paid the ransom or not. Other attacks compromised municipality of Farmington, New Mexico, numerous hospitals, magazines, and different companies.

Ransomware is spread using multiple methods

The most common way of spreading ransomware is the spam. Malspam^[6] is considered to be one of the easiest ways to deliver malware because it needs only an infected email attachment and a gullible victim who can be easily convinced to open the message. As for ransomware, email messages are typically filled with macro-viruses that are launched right after the victim is convinced to enable macros on the target computer system.

While trying to trick people into downloading these attachments, hackers typically rely on social engineering. They typically use misleading titles and subject lines, the names of well-known companies, and similar tricks that could convince the victim that an email is reliable.