A ransomware named Samas or SamSa made nearly $450,000 in ransom payments for its creators. And all of this is only in the past year, according to Palo Alto Networks researchers.
This was first discovered back in March this year, but its origins were traced back to the fourth quarter of 201. That is when the Microsoft discovered that this ransomware required additional tools and components during deployment. The threat would make use of pen-testing/attack tools for a more targeted attack, researchers discovered.
The SamSa actors have been targeting the healthcare industry with their attacks, and Palo Alto Networks researchers say that they made around $450,000 in ransom payments over the past 12 months. The estimation is based on the malware samples that have been identified to date, which amount to 60 unique samples.
Compared to more common ransomware such as Locky, Cerber, and CryptoMix, SamSa has a very small number of samples, but Palo Alto Networks explains that this makes perfect sense, given the type of targets this actor is after. While most ransomware families are looking to infect a large number of users to increase profits, SamSaonly is only targeting specific organisations.
Active for around a year, the ransomware has seen a series of changes, some of which were intended to make analysis and reverse-engineering more difficult. During this time, the ransomware’s authors have used various internal .NET project names for SamSa, including Mikoponi, RikiRafael, showmehowto, gotohelldr, WinDir, among others.
Most of these modifications occurred after April, and they were accompanied by changes to the encrypted filename extensions that are appended to files after encryption took place. The format of the encrypted file header was changed too, as well as the dropped helper HTML file that is used to provide victims with information on what happened to their files.