SamSam Ransomware Has Raised $6 Million

samsam ransomware: Criminal Hackers exploit ransomware attacks as a robust money making strategy as they easily coerce the victims to pay money. Continuing with this strategy, they are now making money with the notorious SamSam malware. A latest study reveals that SamSam ransomware has raised around $6 million for Criminal hackers in ransom demands.

SamSam Ransomware Has Raised $6 Million As Ransom

For quite some time, Criminal hackers have exploited the SamSam ransomware for various high-profile attacks to demand a huge ransom. Backed by some brainy coders who love to spend hours on creating this filthy product, this highly sophisticated malware compels the victims to pay the ransom as demanded.

An ongoing study by Sophos on SamSam ransomware has revealed that this malware has raised around $6 million for the Criminal hackers. It certainly appears a significantly larger amount ever generated through any ransomware. Keeping in view the minimalist technology and high-profile attacks through SamSam, Sophos conducted a detailed research on how this ransomware works, and what makes it so special.

 

Start your Free Trial
Scan your Web Site and Network

 

Usually, SamSam has targeted ‘medium to large’ organizations. Most of their targets are located in the United States. While some of the victims are also present in the UK, Canada, and the Middle East. It seems the Criminal hackers use this ransomware especially for ‘rich’ targets who can pay huge amounts as ransom.

The highest ransom SamSam has earned for Criminal hackers from an individual victim is $64,000.

How Does It Work?

As explained in the report, SamSam works in a six-step strategy. It begins by identifying the target and acquiring the vulnerabilities to take control. The Criminal hackers then manage to take over the entire network by brute-forcing Windows Remote Desktop Protocol (RDP) accounts. Once entered, the attacker then uses various hacking tools to first acquire a domain user account, and then move up to the domain admin level. They don’t even mind waiting for days for the domain admin to login. As the compromised machine keeps running a credential harvesting tool ‘Mimikatz’, they can hack the admin account the moment it comes online.

Now the Criminal hackers can deploy the malware in the machine through a legitimate Windows network administration tool, instead of any worms or viruses.

Start your Free Trial
Scan your Web Site and Network

 

The attacker’s preferred deployment tool is the Sysinternals PsExec application, which the attacker uses to copy files across the network. The attacker has been known to use other deployment tools in situations where PsExec is blocked. In one recent attack, they were seen switching to a similar tool called PaExec from PowerAdmin

Sophos explained the reason behind this strategy in their report.

This method has several benefits. As a manual attack, it poses no risk of spreading out of control, attracting unwanted attention. It also allows the attacker to cherry pick targets, and to know which computers have been encrypted.”

Then, in the final step, the Criminal hackers execute the ransomware and wait for the victims to pay money.

Staying Protected From SamSam

SamSam ransomware gained popularity due to its massive attacks on some high profile organizations including Allscripts and Adams Memorial Hospital, along with some government institutions such as the City of Atlanta and the Colorado Department of Transportation, and the Mississippi Valley State University. Besides, a number of private organizations have also been victimized by SamSam, who preferred to stay quiet over the matter.

The sophistication and minimalist approach of this malware clearly hint that it is almost impossible to get rid of the malware after it enters a system. Thus, the only way to stay protected from SamSam is to have a proactive approach towards prevention of an attack. Organizations should strengthen their security layers to block such attacks. Likewise, using VPN, restricting RDP access, multifactor authentications, and robust backups can potentially help in alleviating the risks.