For the past three years, the group behind SamSam ransomware has targeted their attacks at hospitals and healthcare organizations, as well as public entities such as the city of Atlanta, and has collected nearly $6 million in illicit gains in doing so, according to new research from Sophos.

In the past seven months, the group behind SamSam has averaged about $300,000 per month in ransom, with the highest single payout topping $64,000.

These and other findings are part of a report Sophos released on Tuesday that details the methods behind this particular ransomware attack, and some of the motivations of the person or persons behind it.

Although SamSam has been associated with attacks on healthcare and hospitals, as well as public entities, Sophos researchers believe that other organizations have also been targeted, but have not been as public about the attacks. The report finds that about half the number of victims have remained silent.

SamSam Timeline
\r\n(Source: Sophos)\r\n

"From the victims we have identified 50% are in the private sector, with none of them going public. We do not believe this is specifically targeted against healthcare," Peter Mackenzie, the Global Malware Escalation Manager at Sophos, wrote in an email to Security Now.

What makes SamSam different than other types of well-known ransomware, such as WannaCry, is that it's carefully deployed at specific targets instead of being used in "drive-by attacks" meant to cause major disruptions. Also, the underlying software in SamSam is not based on EternalBlue exploits, but uses more conventional open source tools that have been manipulated in order to steal passwords or move the ransomware around the network. (See WannaCry: How the Notorious Worm Changed Ransomware.)

"This is not related to EternalBlue or any of the other vulnerabilities disclosed with it," Mackenzie wrote. "We believe that the majority of the malicious files were created by the attacker themselves, while also utilizing publicly available hacking tools such as Mimikatz. It is important to understand that SamSam does not spread like WannaCry (it is not a worm/virus) instead it is deployed like a legitimate application."

The July 31 Sophos report finds that a SamSam attack starts with a Remote Desktop compromise of a specific machine within the enterprise network. The attacker has also deployed exploits at vulnerable machines to perform remote code execution.

Here, Sophos finds that the group behind SamSam uses more purposeful and targeted methods to attack networks. The researchers found that attacks usually begin in the middle of the night when system admins and the security team are asleep or off-duty and not paying attention to the network.

What also makes SamSam particularly difficult to stop is that once inside the network the malware not only encrypts document files, images and other data that is essential to the running of the business, but also the platforms that run the applications, such as Microsoft Office.

Additionally, SamSam contains a hardcoded list of file extensions that target specific files. The malware will then encrypt those files before any others, which shows the group targets specific victims. Over the years, those behind SamSam have also gotten better at avoiding endpoint security.

(Source: Sophos)\r\n

Once the ransomware starts and the files are encrypted, the victim is directed to a "payment site" on the Dark Web, where the person or persons behind the attack demand ransom in the form of Bitcoin. The cryptocurrency is later laundered to help the attackers hide their gains.

These methods have netted about $5.9 million in Bitcoin since SamSam was first spotted in the wild in 2015, according to Sophos's calculations and research.

In his email, Mackenzie noted that the group behind SamSam is either a single person or a very small group of attackers. It appears the group are English speakers based on ransom messages, and that about 74% of attacks have occurred in the US, although organizations in the UK, Canada and Middle East have also been targeted.

"We believe this to be one person or a small group. Due to the similarity in all the attacks, the language used on ransom notes, help files and communication with the victims. As well as the fact that they have managed to stay anonymous for 2 and a half years," Mackenzie wrote.

Reports about SamSam have surfaced on and off again for the last three years, although the ransomware was recently in the news with an attack against Atlanta, which has cost the city over $2 million so far. (See Unknown Document 734998.)

The group behind SamSam might have also targeted Baltimore's 911 system earlier this year, but Sophos could not confirm that specific attack. (See Atlanta, Baltimore Ransomware Attacks Show Government Agencies' Vulnerabilities.)

Related posts:

• 'RDP Shops' Proliferate Throughout the Dark Web
• Ransomware Attacks Against Healthcare Increased in 2017
• Adware & Cryptomining Remain Top Enterprise Security Threats
• SamSam Ransomware Continues Making Hospitals Sick

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.