The cybercriminals behind a piece of ransomware known as Samas or SamSa collected roughly $450,000 in ransom payments over the past year, according to Palo Alto Networks researchers.
The malware was initially detailed in March this year, but its origins were traced back to the fourth quarter of 2015 when Microsoft discovered that the ransomware required additional tools and components during deployment. The threat would make use of pen-testing/attack tools for a more targeted attack, researchers discovered.
The SamSa actors have been targeting the healthcare industry with their attacks, and Palo Alto Networks researchers say that they made around $450,000 in ransom payments over the past 12 months. The estimation is based on the malware samples that have been identified to date, which amount to 60 unique samples.
Compared to more common ransomware such as Locky, Cerber, and CryptoMix, SamSa has a very small number of samples, but Palo Alto Networks explains that this makes perfect sense, given the type of targets this actor is after. While most ransomware families are looking to infect a large number of users to increase profits, SamSaonly is only targeting specific organizations.
Active for around a year, the ransomware has seen a series of changes, some of which were intended to make analysis and reverse-engineering more difficult. During this time, the ransomware’s authors have used various internal .NET project names for SamSa, including Mikoponi, RikiRafael, showmehowto, gotohelldr, WinDir, among others.
Most of these modifications occurred after April, and they were accompanied by changes to the encrypted filename extensions that are appended to files after encryption took place. The format of the encrypted file header was changed too, as well as the dropped helper HTML file that is used to provide victims with information on what happened to their files.
Researchers also noticed that the ransomware’s temp folder has had different names over time, that it used the AES-128 algorithm for the encryption of embedded strings, and that it even started using obfuscation for internal PDB debug strings. At one point in time, however, the internal PDB debug strings were removed altogether.
Initially estimated to have generated profits of $70,000, SamSa was later observed to have used 19 unique Bitcoin (BTC) addresses (they were associated with 24 unique samples). With 394 BTC in ransom payments received through 14 of these since March 24 and 213 BTC received before that date, the SamSa actors are believed to have made an outstanding total of 607 BTC over the past 12 months, which would amount to $450,000 at current exchange rates.
“In the past year, the SamSa actors have showed no sign in stopping their attacks. They’ve successfully compromised a number of organizations, and continue to reap significant rewards for their efforts. As the group continues to make money, it is unlikely we shall see them stop in the near future,” Palo Alto Networks’ Josh Grunzweig notes.
Related: Samas Ransomware Uses Pen Testing Tools for Delivery
Related: Cerber Ransomware-as-a-Service Generates $2.3 Million Annually: Report

More from Ionut Arghire
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Pharmaceutical Giant Eisai Takes Systems Offline Following Ransomware Attack
- North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
- Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- US, Israel Provide Guidance on Securing Remote Access Software
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
