According to the Palo Alto Networks researchers, a gang of cyber criminals has earned more than $450,000 by infecting organizations with the Samas ransomware over the past year.
The Samas ransomware was first registered in March, when the FBI issued an alert about a wave of ransomware infections which hit several US companies, working mainly in the healthcare sector.
A few days later, the Microsoft Malware Protection Center experts were publishing the their first report on Samas ransomware, also known by the names SamSam, Samsa, Kazi, or RDN/Ransom.
According to Microsoft, Samas wasn’t just a regular spray-and-pray ransomware, and its developers weren’t interested in mass infection campaigns.
The hackers were exploiting vulnerabilities in Java servers and weak RDP credentials in order to break into corporate networks and infect as many computers as possible, often installing the ransomware manually.
Usually, the cyber criminals were targeting big companies, and asking for huge ransoms from each victim, knowing they could push for more money compared to a regular Locky or CryptoWall infection. The bigger the company was and the more computers they infected, the more money the hackers demanded.
The Samas ransomware spurred a wave of copycats fast, but the original version remained a real threat, with more and more infections each month. Nevertheless, the infections were not as frequent and common as those by ransomware families such as Locky or Cerber, which took the classic spam shotgun approach.
For example, based on a statistics by ID Ransomware, Samas infections rarely reached five detections per day, while Locky and Cerber were well in the hundreds.
Last Friday, Palo Alto released a report stating that Samas ransomware was first registered about one year ago, and slowly ramped up its activity, as its creators were successful in their attacks.
For each attack, the hackers used a slightly different Samas version and often changed the Bitcoin address at which they requested ransom.
According to the researchers, the criminals have traced of all these addresses in advance. The team of Palo Alto claims that they were able to identify transactions which totaled 607 Bitcoin across 19 different Bitcoin addresses.
Converted using today’s Bitcoin-dollar exchange rate, the gang behind Samas has made over $450,000 since they’ve launched their operation.
“As we can see, there is a large gap in between June and September of 2016,” the experts state. “This is most likely due to the sample set used during research, as there were only a few samples obtained in recent months.”