Samsa Ransomware Nets Criminals at Least $450,000 in a Year

The cybercriminals who have been infecting consumers and businesses with the ransomware variant SamSa have reportedly extorted $450,000 from businesses and consumers over the past 12 months, according to a recent report from Palo Alto Networks Unit 42 team.

Researchers were able to calculate the cybercriminals’ minimum earnings by monitoring the Bitcoin Wallet addresses used by the attackers. Palo Alto Networks was able to see payments totaling 607 Bitcoin had been made to the attackers’ account.

However, the actual earnings are likely to be considerably higher. Palo Alto Networks does not believe it has tracked all of the payments as ransomware gangs take steps to hide their activities and it is unlikely that all samples of the ransomware have been captured. To date, Palo Alto Networks has captured 24 unique variants of the ransomware. There are undoubtedly more.

The figures give some indication of how profitable ransomware is and why cybercriminals have been conducting ransomware attacks with increasing frequency. A recent IBM Security ransomware survey showed that in the majority of cases, businesses attacked with ransomware end up paying their attackers for the keys to unlock the encryption on their files.

Ransomware is most commonly spread using random spam email campaigns that involve many hundreds of thousands, if not millions, of emails. Ransomware is also installed in drive-by downloads and by exploit kits via malicious websites. Attackers also use malicious ad blocks on popular websites to infect website visitors. Their adverts are displayed via third party ad networks, some of which can infect visitors with no interaction required.

Samsa ransomware, also known as SamSam, Samas, and Mokoponi, has not only been used in ‘spray and pay’ attacks, but also by hackers who have already gained access to business networks. Once network access has been gained – and often once data has been exfiltrated – ransomware is installed. This often occurs when the attacker has determined that no further useful data can be gathered. Ransomware is then installed as a malicious parting gift.

Samsa has not been in operation for long. It was first identified in December 2015, but in that time it has caused considerable disruption. Samsa ransomware has been used in targeted attacks on the healthcare industry and was the ransomware variant involved in the attack on MedStar Health in March this year. In that instance, the cybercriminals did not get a payday, although the infection did cause major disruption and still resulted in considerable remediation costs for the healthcare system.

Unfortunately, Samsa ransomware infections are likely to continue. The criminals behind the ransomware are constantly redeveloping the ransomware to evade detection by antimalware solutions and to date, none of the Samsa ransomware variants have been cracked.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of