Ransomware Attack Makes a Haul

Tuesday, December 13, 2016 @ 04:12 PM gHale

Does crime pay? If you ask the bad guys behind one ransomware attack, they might answer in the affirmative.

That is because they hauled in $450,000 for the ransomware called Samas or SamSa, said researchers at Palo Alto Networks.

Ransomware Switches Extension
Agile Botnet Shifts to New Ransomware
SF Metro Victim of Ransomware
Ransomware Decryptor Releases

The malware came to light this past March, but its origins go back to the fourth quarter of 2015 when Microsoft discovered the ransomware required additional tools and components during deployment. The threat would make use of pen-testing/attack tools for a more targeted attack, researchers said.

The attackers have gone after the healthcare industry and the researchers said the attackers made $450,000 in ransom fees for the past year.

SamSa has a very small number of samples, but Palo Alto Networks researchers said given the type of targets the attackers go after, it can make sense. SamSa is only targeting specific organizations.

Active for around a year, the ransomware has seen a series of changes, some of which were intended to make analysis and reverse-engineering more difficult. During this time, the ransomware’s authors have used various internal .NET project names for SamSa, including Mikoponi, RikiRafael, showmehowto, gotohelldr, WinDir, among others.

Most of these modifications occurred after April, and they were accompanied by changes to the encrypted filename extensions appended to files after encryption took place. The format of the encrypted file header changed too, as well as the dropped helper HTML file that is used to provide victims with information on what happened to their files.

Initially estimated to have generated profits of $70,000, SamSa was later observed to have used 19 unique Bitcoin (BTC) addresses (they were associated with 24 unique samples). With 394 BTC in ransom payments received through 14 of these since March 24 and 213 BTC received before that date, the SamSa actors totalled 607 BTC over the past 12 months, which would amount to $450,000 at current exchange rates.

Leave a Reply

You must be logged in to post a comment.