The SamSam ransomware has always been a bit different. Unlike many ransomware infections, its victims are targeted rather than random -- and the attacker establishes a presence on the victim network before beginning the encryption process.
Victims this year include the
City of Atlanta,
Allscripts, Adams Memorial Hospital, Colorado Department of Transportation and the Mississippi Valley State University. It could seem that SamSam targets health, education and government; but a new and detailed analysis of SamSam from Sophos shows this is not the case -- and its success rate is far higher than previously thought.
"Sophos have discovered that these three sectors account for fewer than half of the total number of organizations we believe have been victims of SamSam, and it's the private sector who have suffered the most (and disclosed the least)."
By following the money and tracking the Bitcoin payment wallets with help from Neutrino (a firm that specializes in tracking cryptocurrency flows), Sophos researchers have estimated that the SamSam attacker has netted more than $5.9 million dollars since version 1 (it is now at version 3) began being used in January 2016. The attacker is currently collecting an average of $300,000 per month. Sophos estimates that about 233 victims have paid a SamSam ransom.
The attacker is thought to be a single person working alone rather than a criminal or nation-state gang. He (or she) is proficient, although not perfect, in the English language; but probably comes from a country where English is not the first language. He does not boast about his exploits and has no known social media presence, where linguistic tells within has ransomware might provide clues to his identity. At this point, his identity and nationality are unknown.
Sophos researchers have tracked (
PDF) the evolution of SamSam through its three versions. It shows a developer getting evermore proficient in his craft. The basic MO is to select the targets, possibly through publicly available search engines such as Shodan or Censys, to access the network, to elevate privilege and reconnoiter, and then encrypt everything he can access. The encryption itself is usually done overnight to reduce the chance of detection.
