If you haven’t heard of the SamSam ransomware there could be several reasons why. First of, it doesn’t infect that many devices. The GandCrab campaign, for example, infected over 50000 targets within a short period of time while SamSam infects target at a rate of one per day. Second, it’s not very loud with targets being carefully curated and chosen. However, this second reason is also the primary one for why you should be aware: SamSam simply doesn’t act like other ransomware.


While most ransomware spread in large and uncoordinated campaigns, targeting victims in the thousands for generally small sums, SamSam does quite the opposite: Deliberate and careful attacks on chosen targets with ransoms in the thousands. Even if the attacks first appeared in 2015 the slim infection rate has led to equally slim details surfacing, until now.

Sophos unveiling SamSam

Cybersecurity firm Sophos recently released an in-depth report on the notorious SamSam attacks, dubbing them “a new breed of ransomware”. Within the report it is revealed that the attackers are earning nearly $300 000 per month with a total estimate of $5.9 million.

One of the most infamous targets of the SamSam attacks was the city of Atlanta. Several municipial systems crashed completely and a $50 000 ransom was demanded. However, the downtime of important systems was a far greater cost.  Other targets include not only public sector organisations and businesses but private entities. The large scope of targets and methodical, deliberate infections appear to be the cause of their “success”.

APT tactics in ransomware

But what about the infections? While the ransomware used isn’t that sophisticated it is the preparations done that takes skill. The attackers find their way in through exploits or bruteforcing and proceed to map out the network. There they reside until the time is right. In one case it was found the attackers had been waiting 60 days before unleashing the ransomware.

In most cases even the local time of the target is taken into consideration: Only unleashing the ransomware at night. These kinds of approaches are generally seen in advanced persistent threats and not ransomware.

“This is controlled via a small group of people, it’s manually deployed on a victim’s network after they’ve hacked their way in, which is quite different to the majority of ransomware”, Peter Mackenzie, global malware escalations manager of Sophos stated.

What does the future hold & how to protect yourself

When it comes to the future of SamSam, it doesn’t seem to be getting brighter.

The skills have definitely improved. How they hide who they are, how they hide what their code is doing, making it harder to get hold of sample files is stuff they’ve been improving constantly .. We can only assume the way they’re deploying the ransomware is going to become more efficient and more hidden.”, Mackenzie stated.

Sophos recommendations for securing yourself can be found within either their report or a separate blog post. The main take away is to keep your systems updated, which wasn’t the case in the Atlanta attack.