SamSam is an example of a manually controlled ransomware, which has been recently identified by researchers.[1]  SamSam ransomware is unique in its nature due to targeted victims and large ransom demands.  The ransomware is active since December 2015 and large organizations including the City of Atlanta, Colorado Department of Transportation, several hospitals and educational institutions, have been successfully attacked.

Infection Technique

SamSam is radically different from other forms of ransomware attacks since it is not distributed in an unplanned and uncontrolled way, which are typically sent via spam emails. Instead, attackers choose potential targets and infect the victim manually.  Samsam does not replicate itself like WannaCry and NotPetya malware, therefore it is void of any virus or worm like capabilities.  Any attempt to replicate itself is manually undertaken by the attackers.  In this way, attackers are averting unwanted attention with exclusive selection of their targets.

A typical SamSam attack screen looks like this:

The primary course of SamSam deployment involves compromising the remote desktop protocol (RDP) on a targeted system, either by Brute force attack or stolen credentials purchased from the dark web.  Once compromised, an attempt is made to strategically deploy ransomware throughout the entire network by exploiting vulnerabilities in other system. 

Once deployed successfully, the ransomware is programmed to encrypt system’s data and demand a huge payment usually more than $50,000.00 USD in Bitcoin for decryption keys.  In a multi-tiered priority system, it is ensured that ransomware encrypts most valuable data first and eventually encrypts everything else that is not in a Windows system related files.

Infection Capability

According to new research revealed, SamSam had extorted nearly $6 billion from its victims since December 2015.  Researchers have tracked Bitcoin addresses owned by attackers mentioned on ransom notes of various SamSam versions and discovered attackers have received more than $5.9 million from 233 victims.  To date, the largest ransom paid by an individual is valued at $64,000, which is a significantly large amount compared to most ransomware families.  SamSam attacks are getting more and more effective since most of the victims do not see any other option to restore their encrypted files.  A total of 157 unique addresses mentioned on ransom notes have received payments.

74% of known victim organization are based in US.  Others are distributed in Canada, the UK and in Middle East countries.  Since the attack is manually driven, no signature can be extracted.  Techniques of infiltration vary with each attack. Since most of the time a manual attack effort is involved, ransom amounts are significantly high.

Mitigation and Prevention Strategies

To protect against this threat, our Small Business Alliance members are urged and  recommended to:

  • Keep regular backups (daily, if possible)
  • Implement multi-factor authentication (Wapack Labs uses SaaSPass)
  • Restricted access to RDP (Port 3389)
  • Always keep systems and software up-to-date (always patch)
  • Use antivirus and antimalware solutions

For questions or comments regarding this report, please contact Wapack Labs at 603-606-1246, or feedback@wapacklabs.com


[1] https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance