SamSa Ransomware Attacks – Encrypt your data and ask for money to unlock it

SamSa having very few samples when compared to other malware families like Cryptomix, Cerber and Locky. This is an byproduct which is targeting organisation instead of  Internet Users.

In last 12 months. it was completely evaluated by Author’s, to make analysis and reverse engineering difficult.While we classify all of these samples as “SamSa,” the attackers have used various names to identify their projects.

Following are the .NET project names that witnessed;

• samsam
• MIKOPONI
• RikiRafael
• showmehowto
• wanadoesme
• wanadoesme2
• gonomore
• gotohelldr
• WinDir

Profits

SamSa having confirmed profits of $70,000 for the threat actors, with estimates by other researchers as high as $115,000. SamSa ransomware executables often contain the Bitcoin Wallet address victims are supposed to use to pay the ransom.

This not only makes tracking monetary payments extremely difficult, but also is yet another example of how the SamSa actors take a very targeted approach to their victims, generating unique data for each victim they infect.

Of those 19 unique BTC addresses we observed since March 24th, 14 of these have received payments totaling roughly 394 BTC. Prior to March 24, 2016, we observed roughly 213 BTC received, giving us a total of 607 BTC received by the SamSa actors.

Using today’s current BTC rate of $744.43, this allows us to estimate that the attackers have obtained roughly $450,000 since their operations began.

Conclusion

In the past year, the SamSa actors have showed no sign in stopping their attacks. They’ve successfully compromised a number of organizations, and continue to reap significant rewards for their efforts.

In the past year alone, they’ve collected an estimated $450,000 from their scam. As the group continues to make money, it is unlikely we shall see them stop in the near future. Palo Alto Networks customers are protected from this threat via the following ways:

1. All malware is classified as malicious in WildFire.
2. Domains used by SamSa have been flagged as malicious in Threat Prevention.

A full list of indicators of compromise (IOCs) related to SamSa can be found here.