Since 2015, the cybercriminals behind ransomware SamSam have extorted nearly $6 million in payouts from individuals, companies and government organizations. No one is immune to the demands from the group who have employed an extremely targeted approach to their model which continues to net up to $300,000 per month for the criminal gang.
Follow The Money…
IT security company Sophos has been able to follow payments to the crime network by tracking Bitcoin addresses that are declared on the digital ransom notes sent to victims. Researchers have found that to date nearly $6 million in ransom has been paid by around 233 targets. The largest payment to the group by an individual was $64,000, and governmental organizations targeted by the ransomware include hospitals, universities, municipal organizations and even entire cities. The city of Atlanta and the Colorado Department of Transportation have both suffered attacks by the group.
How Does It Work?
SamSam is not a random malware injection that one can ‘pick-up’ via email or clicking on the ‘wrong’ link on a website. SamSam victims are carefully preselected and systems targeted by the group are manually infected either by obtaining stolen credentials, available for sale on the Dark Web, by exploiting vulnerabilities via remote desktop protocol (RDP), file transfer protocol (FTP) servers or by brute force attacks against unsecure passwords that allow the hackers to gain entry to the system. SamSam ransomware is deployed by a human attacker who systematically infects the entire network before sending out the demand for ransom.
Once the attacker is in the system, it is effectively locked down, the data encrypted (kidnapped) and the only way to regain access to the data is to pay the ransom to be able to receive the decryption keys. Usually, ransomware is released ‘into the wild’ so it is not easily controllable or trackable, SamSam though is frighteningly specific. Targets are researched carefully, attacks are coordinated and very often, the victim does not report the cybercrime in case they lose the data for ever. The loss of important data for a hospital, university or an entire city could be catastrophic. Victims are more inclined to pay the ransom rather than risk the collapse of their entire organization.
Why do people pay the ransom? Because the cost of the fix is almost always more expensive, and time consuming, than the ransom. In cases where ransom was not paid – the city of Atlanta for example, the cost of the fix was reported to be around $2,6 million, against the $51,000 demanded in the ransom.
You Can’t Stop SamSam, But You Can Prevent An Attack
While there is nothing to be done once your data is encrypted, as always, prevention is infinitely better than cure, and having systems and protocols in place to prevent access is the best way to minimize the risk. Keep software and systems up to date, restrict access and implement multi-factor, multi-device authentication on systems and ALWAYS have an offline, preferably air-gapped, backup of everything.