The 47-page report established that the virus has helped its developer earn around $6 million in Bitcoin till date. The study is being called the most comprehensive research on the ransomware, with samples finding their roots to various sources like victims’ testimonies, SamSam’s attacks from the past, and data mining patterns. According to the detailed analysis by Sophos’ researchers, a total of 299 victims were targeted for ransoms.
Study found out that SamSam worked in a way that was a lot different than the way how other ransomwares work. While most of the hackers prefer mass-distribution of ransomware through spamming on emails, phishing websites, and malware linked advertisements, SamSam picked its victims one by one. First off, they would explore the weak spots of the JBoss system so as to facilitate the copying of the ransomware onto the network. On failing to exploit the vulnerabilities of the JBoss Systems, the attackers turned to the dark web to gain access to the less credible machines with insecure RDP connections to find their way into the network.
After gaining access, the SamSam operators spend days on the network till they get enough privileges and assume the role of the domain admin. Thereafter, they scan for target computers and deploy the malware using genuine Windows Network Administrative tools like PsExec. Upon gaining access to the targeted machines, SamSam like any other ransomware encrypts PC’s data and leaves a ransom note behind.
Neutrino, a blockchain and cryptocurrency monitoring firm also partnered with Sophos to research the case on SamSam. The duo looked into SamSam’s Bitcoin transactions and linked each transaction to a victim and the missing funds.
Sophos and Neutrinos pointed out 157 Bitcoin addresses that received SamSam’s ransom notes. The operators of the Malware used three wallets out of which only one works as of now. This particular mobile wallet has received Bitcoin payments from 8 different addresses. Reports suggest that SamSam has extorted around $300000 every month from its victims. The maximum targets are from the private sector. Yet another discovery declares that 74 percent of the victims from the United States, the other 8% from the United Kingdom and the rest from Canada.
The publication by Sophos also mentions how SamSam is growing with every update. The study reads, “ Since the end of 2015, SamSam has evolved to focus on two main objectives: First, to improve the deployment method so that the impact on victims is greater; Second, to make the analysis of the attacks harder, further helping to keep the attacker’s identity a secret.”