Connect with us

Hi, what are you looking for?



SamSam Operators Make $325,000 in 4 Weeks

Numerous SamSam attacks over the past month or so have paid off to the ransomware’s operators, as they made over $325,000 in a short period of time, security researchers with Cisco Talos say.

Numerous SamSam attacks over the past month or so have paid off to the ransomware’s operators, as they made over $325,000 in a short period of time, security researchers with Cisco Talos say.

Starting last month, the malware began targeting organizations across multiple industries including government, healthcare and ICS in a series of attacks that appear to be rather opportunistic in nature. The impact, however, was wider, especially in the healthcare sector, where patients were affected too, not just the hit organizations.

On January 11, the ransomware hit Hancock Health, headquartered in Greenfield, Indiana, a hospital that ended up paying $55,000 to regain access to its files. Adams Memorial Hospital in Decatur, Indiana, and Allscripts, a major electronic health record (EHR) company headquartered in Chicago, IL (which confirmed to SecurityWeek that roughly 1,500 clients were impacted), were also hit by SamSam.

Other organizations were impacted as well, yet the security researchers still haven’t figured out what infection vector the attackers used. Previously, SamSam operators have been compromising a machine within the network and then moving laterally to inject code and execute the ransomware.

In a report released in March last year, Javelin Networks explained that SamSam’s operators have been using stolen domain credentials to gain access to a host, then leveraging Active Directory for reconnaissance purposes, and later moving laterally through the network.

In 2016, SamSam was observed targeting vulnerable JBoss hosts, and Cisco believes that compromised RDP/VNC servers might have been used in the recent wave of attacks, allowing SamSam operators to obtain an initial foothold.

As part of the new attacks, string obfuscation and improved anti-analysis techniques were employed. The attackers used a loader to decrypt and execute an encrypted ransomware payload, a mechanism they have been employing since at least October 2017.

Advertisement. Scroll to continue reading.

The loader, a simple .NET assembly with no obfuscation, searches for files with the extension .stubbin in its execution directory, as these contain SamSam’s encrypted payload. The loader appears derived from an example posted on the website.

The ransomware operators are believed to be deploying the malware manually. They also use symmetric encryption keys that are randomly generated for each file.

The actor behind the attacks was highly focused on preventing the forensic recovery of the malware sample itself and didn’t simply rely on obfuscating the running malware code. To reduce the chances of obtaining the payload for analysis, the password necessary for the loader to decrypt the payload is passed as a parameter.

Analysis of the code didn’t reveal automated mechanism for contacting a Tor address hardcoded in the malware, and Cisco believes that victim identification with the associated RSA private key is done manually or using another tool.

“The Tor onion service and the Bitcoin wallet address are hardcoded into the payload whilst the public key is stored in an external file with the extension .keyxml,” Cisco explains.

The wallet employed in this campaign was used for multiple victims, and the security researchers discovered that the first payment into the wallet was received on December 25, 2017. However, there is a chance that other Bitcoin wallets are also used.

The Bitcoin wallet address received approximately 30.4 Bitcoin at the time of analysis, meaning that the SamSam operators made over $325,217.07 since December 25. Within its first year of operation, between 2015 and 2016, SamSam is believed to have made its operators $450,000 richer.

One thing that SamSam victims should keep in mind, however, is that the ransomware does not delete Volume Shadow Copies. It also works by creating an encrypted version of the targeted file and then deleting the original using the regular Windows API.

“Although unlikely, due to block overwriting, recovery of the original files from the versions of affected folders saved by the operating system may be possible,” Cisco says.

RelatedSamSam Ransomware Attacks Hit Healthcare Firms

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...