The SamSam ransomware has been active for over a year now, though in its latest attacks the ransomware creators increased the ransom demand to $33,000.
Unlike the most ransomware families, SamSam isn’t distributed through automated tools such as exploit kits or spam botnets. Instead, the malware is installed on vulnerable systems through manual compromise. However, when a computer in a network is breached, the virus can easily infect the other machines on the network.
According to AlienVault’s Chris Doman notes, the creators of SamSam ransomware use remote desktop protocol (RDP), web shells and batch scripts in order to compromise networks and deploy the malware on every computer.
The SamSam ransomeware is written in C#, and the security experts claim that compared to its previous samples, the latest malware’s versions show no changes at all.
According to researchers, the virus targets over 300 file types to encrypt on compromised machines, and uses the functions encc.myff1 and encc.EncryptFile for encryption.
The latest attacks by SamSam ransomware follow the same pattern as the previous campaigns, however, the demanded ransom is already higher. Now the malware’s creators demand 1.7 Bitcoin (over $4,500) to decrypt a single computer, 6 Bitcoin (over $16,000) to decrypt the data on half the computers, and 12 Bitcoins (around $33,000) to restore the files on all of the infected systems.
“In addition, the group behind SamSam charges very high ransoms because of the amount of effort invested in their operations, which made them the subject of two FBI Alerts last year,” the researchers state.
The AlienVault says that the ransomware attacks usually peak in waves, showing the malware creators’ activity.
A recent incident with SamSam ransomware involved a New York hospital which refused paying a ransom of $44,000, demanded in April, this year.
“The most recent attacks appear to have been successful, at least from the attacker’s point of view. The Bitcoin address associated with this week’s attacks has received $33,000,” Doman states.
When SamSam infects a file, the ransomware deletes the original one and leaves the encrypted version instead. However, due to the fact that the virus doesn’t clean the removed file sectors, the malware victims might still get the opportunity to decrypt some part of the infected data or all of it.