Samas Ransomware Gang Made $450,000 in One Year Analysis

The cybercriminals behind a piece of ransomware known as Samas or SamSa collected roughly $450,000 in ransom payments over the past year, according to Palo Alto Networks researchers.

The malware was initially detailed in March this year, but its origins were traced back to the fourth quarter of 2015 when Microsoft discovered that the ransomware required additional tools and components during deployment. The threat would make use of pen-testing/attack tools for a more targeted attack, researchers discovered.

The SamSa actors have been targeting the healthcare industry with their attacks, and Palo Alto Networks researchers say that they made around $450,000 in ransom payments over the past 12 months. The estimation is based on the malware samples that have been identified to date, which amount to 60 unique samples.

Compared to more common ransomware such as Locky, Cerber, and CryptoMix, SamSa has a very small number of samples, but Palo Alto Networks explains that this makes perfect sense, given the type of targets this actor is after. While most ransomware families are looking to infect a large number of users to increase profits, SamSaonly is only targeting specific organizations.

Active for around a year, the ransomware has seen a series of changes, some of which were intended to make analysis and reverse-engineering more difficult. During this time, the ransomware’s authors have used various internal .NET project names for SamSa, including Mikoponi, RikiRafael, showmehowto, gotohelldr, WinDir, among others.

Most of these modifications occurred after April, and they were accompanied by changes to the encrypted filename extensions that are appended to files after encryption took place. The format of the encrypted file header was changed too, as well as the dropped helper HTML file that is used to provide victims with information on what happened to their files.

Researchers also noticed that the ransomware’s temp folder has had different names over time, that it used the AES-128 algorithm for the encryption of embedded strings, and that it even started using obfuscation for internal PDB debug strings. At one point in time, however, the internal PDB debug strings were removed altogether.

Initially estimated to have generated profits of $70,000, SamSa was later observed to have used 19 unique Bitcoin (BTC) addresses (they were associated with 24 unique samples). With 394 BTC in ransom payments received through 14 of these since March 24 and 213 BTC received before that date, the SamSa actors are believed to have made an outstanding total of 607 BTC over the past 12 months, which would amount to $450,000 at current exchange rates.

“In the past year, the SamSa actors have showed no sign in stopping their attacks. They’ve successfully compromised a number of organizations, and continue to reap significant rewards for their efforts. As the group continues to make money, it is unlikely we shall see them stop in the near future,” Palo Alto Networks’ Josh Grunzweig notes.

Related: Samas Ransomware Uses Pen Testing Tools for Delivery

Related: Cerber Ransomware-as-a-Service Generates $2.3 Million Annually: Report