Connect with us

Hi, what are you looking for?



Samas Ransomware Gang Made $450,000 in One Year Analysis

The cybercriminals behind a piece of ransomware known as Samas or SamSa collected roughly $450,000 in ransom payments over the past year, according to Palo Alto Networks researchers.

The cybercriminals behind a piece of ransomware known as Samas or SamSa collected roughly $450,000 in ransom payments over the past year, according to Palo Alto Networks researchers.

The malware was initially detailed in March this year, but its origins were traced back to the fourth quarter of 2015 when Microsoft discovered that the ransomware required additional tools and components during deployment. The threat would make use of pen-testing/attack tools for a more targeted attack, researchers discovered.

The SamSa actors have been targeting the healthcare industry with their attacks, and Palo Alto Networks researchers say that they made around $450,000 in ransom payments over the past 12 months. The estimation is based on the malware samples that have been identified to date, which amount to 60 unique samples.

Compared to more common ransomware such as Locky, Cerber, and CryptoMix, SamSa has a very small number of samples, but Palo Alto Networks explains that this makes perfect sense, given the type of targets this actor is after. While most ransomware families are looking to infect a large number of users to increase profits, SamSaonly is only targeting specific organizations.

Active for around a year, the ransomware has seen a series of changes, some of which were intended to make analysis and reverse-engineering more difficult. During this time, the ransomware’s authors have used various internal .NET project names for SamSa, including Mikoponi, RikiRafael, showmehowto, gotohelldr, WinDir, among others.

Most of these modifications occurred after April, and they were accompanied by changes to the encrypted filename extensions that are appended to files after encryption took place. The format of the encrypted file header was changed too, as well as the dropped helper HTML file that is used to provide victims with information on what happened to their files.

Researchers also noticed that the ransomware’s temp folder has had different names over time, that it used the AES-128 algorithm for the encryption of embedded strings, and that it even started using obfuscation for internal PDB debug strings. At one point in time, however, the internal PDB debug strings were removed altogether.

Advertisement. Scroll to continue reading.

Initially estimated to have generated profits of $70,000, SamSa was later observed to have used 19 unique Bitcoin (BTC) addresses (they were associated with 24 unique samples). With 394 BTC in ransom payments received through 14 of these since March 24 and 213 BTC received before that date, the SamSa actors are believed to have made an outstanding total of 607 BTC over the past 12 months, which would amount to $450,000 at current exchange rates.

“In the past year, the SamSa actors have showed no sign in stopping their attacks. They’ve successfully compromised a number of organizations, and continue to reap significant rewards for their efforts. As the group continues to make money, it is unlikely we shall see them stop in the near future,” Palo Alto Networks’ Josh Grunzweig notes.

Related: Samas Ransomware Uses Pen Testing Tools for Delivery

Related: Cerber Ransomware-as-a-Service Generates $2.3 Million Annually: Report

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...