Research from cybersecurity firm Sophos shows that the SamSam ransomware has grossed its creator over $6 million in Bitcoin since late 2015
Despite a heavy investigation, cybersecurity firms and law enforcement have been unable to find any clues that lead back to SamSam's creator. Sophos was able to identify at least 233 victims that paid the ransom and noted that the average amount demanded to unlock machines ballooned over time to around $50,000 — “vastly more than the three-figure sums typical of untargeted ransomware attacks.” The total proceeds, $5.9 million, dwarf previous collection estimates of around $850,000.
What stands out about SamSam is its ability to operate outside the reach of law enforcement. Since its emergence in 2015, when its first beta software was spotted, there hasn't been a positive identification of who is behind it. The FBI issued a flash alert in 2016 asking for businesses to help it with information about the ransomware (which was at the time referred to as Samas). The FBI said the ransomware allowed criminals to “demand considerable sums of money in return for decryption keys”.
The report also notes that the party behind SamSam grew more cautious over time. The ransomware saw three major revisions, each adding additional protection measures such as hex coding, garbage code to bypass automated detection systems and an encrypted payload activated by a password.
Security companies, including Sophos, have predicted SamSam is made up of a very small group of cybercriminals or even an individual hacker. “We don't believe they're a native English speaker,” Mackenzie says. There are consistent spelling mistakes within the ransomware code – dark red is drak red, capital letters often follow commas in ransom notes and help files provided to assist people in making payments.
Sophos researchers also partnered with Neutrino, a digital currency and blockchain data monitoring firm, to look into SamSam’s Bitcoin transaction records. The pair trailed each Bitcoin transaction to find victims – and funds – that were missing in the earlier reports. In total, Sophos and Neutrino identified 157 unique Bitcoin addresses that received the ransoms. The combinative study also found 89 Bitcoin addresses that were mentioned on ransom notes but didn’t earn any money down the road. Overall, the SamSam operator(s) used three wallets, out of which only one is active to this date.
SamSam is now on the third version – and it's improving. It now encrypts files late at night when victims won't be at work to monitor their network in real time. Ransom notes and bitcoin payment websites, hosted on the Tor network, have been unique to each victim and if the encryption process is detected it self-destructs and leaves little evidence to be analyzed.