Sophos Releases In-Depth Report on Atypical SamSam Ransomware

Sophos announced the publication of a detailed report on the notorious SamSam ransomware threat at Black Hat 2018. The 47-page report covers how the attacks began in 2016. It explores how SamSam targets victims in ways unlike any previous ransomware attack had before. It goes into depth on SamSam (so-named in its first known instance) and its minimalist, manual approach to victim targeting and compromise.

The report discusses how to defend against SamSam. This is essential, as the ransomware is continuing to evolve and become more sophisticated. The attacker appears to select targets carefully. Indeed, the cost victims are charged in ransom is increasing dramatically while the tempo of is also picking up.

The report reveals that the SamSam attacker uses a variety of built-in Windows tools to escalate their own administrative privileges. They scan the network for valuable targets. Their goal is to get credentials whose privileges will let them copy their ransomware payload to every machine. These include servers and endpoints.

The attacker proceeds to spread the “payload” laterally across the network after the initial penetration. At this stage, SamSam is essential a sleeper cell. It waits for the instruction to begin encrypting. Then, like a predator, the attacker goes on the offensive at night.

SamSam first encrypts a prioritized list of files and directories. Then, it moves onto encrypt everything else. Unlike other ransomware threats, SamSam encrypts not only document files and work data but also configuration and data files required to run applications like Microsoft Office. This strategy presents a difficult challenge in business continuity terms. Victims who only back up documents and data will have to re-image machines to recover them.

The entire SamSam attack process is manual, which is highly unusual.  Unlike virtually every other ransomware scenario, SamSam does not start with a phishing attack. Weak or easily-guessed passwords are a particular vulnerability. The SamSam attacker breaks into the network end point using login tools like Remote Desktop Protocol. It exploits operating system vulnerabilities.

Key Findings of the report:

  • SamSam has earned over US $5.9 Million for its creator(s) since late 2015.
  • 74% of the known SamSam victims are US-based. Other regions affected include the UK, Canada and the Middle East.
  • $64,000 is the largest ransom paid by an individual SamSam victim.
  • Targets include medium- to large public sector organizations in healthcare, education, and government. However, these only account for about 50% of the total number of identified victims. The rest are private sector entities that have been largely silent about the attacks.

To download the report, visit

Photo Credit: wuestenigel Flickr via Compfight cc