SamSam Ransomware Crew Made Nearly $6 Million From Ransom Payments

The SamSam ransomware, which if you remember was at play in an attack in Atlanta city earlier this year, has earned its creator(s) more than $5.9 million in ransom payments since late 2015, BleepingComputer reported Tuesday, citing what it called the most comprehensive report ever published on SamSam's activity. The report, it said, contains information since the ransomware's launch in late 2015 and up to attacks that have happened earlier this month. BleepingComputer: Compiled by UK cyber-security firm Sophos, the 47-page report is a result of researchers collecting data from past attacks, talking to victims, and data-mining public and private sources for SamSam samples that might have slipped through the cracks. In addition, Sophos researchers also partnered with blockchain & cryptocurrency monitoring firm Neutrino to track down transfers and relations between the different Bitcoin addresses the SamSam crew has used until now.

By tracking all the Bitcoin addresses researchers were able to find, Sophos says it identified at least 233 victims who paid a ransom to the SamSam crew, of which, 86 went public with the fact that they paid the ransom, allowing Sophos to create profiles about each of these victims. Researchers say that based on the data of these 86 victims, they were able to determine that around three-quarters of those who paid were located in the US, with some scattered victims located in the UK, Belgium, and Canada.

They paid the ransom.

[grep+-v+'.*'+*]

Did they get their data back? Seems like it might be a "cheap" lesson to learn about backup/RESTORES and security.

I've heard about some of these guys actually having a chat-room to help victims figure out how pay them in bitcoin and make sure the files are recovered. Nothing like an honest criminal -- OTOH you're more apt to pay them if it's well known you'll actually get your data back. "Thank you for volunteering to be a customer, please come again!"

The FBI doesn't want you to pay them, because you're paying a criminal. I agree, but I can see how people do it and say, "But next time we'll do better!" Link.

Re:They paid the ransom.

In most all cases the ransom paid is far less than just about any other single cost the company would incur after being a victim.

Physical losses
Loss of data - in typical cases they know where your backups are and they encrypt those too (see part about they infiltrate, learn and then attack
Loss of productivity - computers dont work, people cant work, stuff isnt made, stuff isnt shipped, orders are missed
And thats just a small picture of the physical losses

Then there is the cost of analysis and mitigation - 3rd parties, lawyers, business partners, executive time suck, meetings, paperwork, insurance

And then you get to the intangibles - reputation hits (missed deadlines, incorrect orders), morale suck (poor IT team and frustrated customer/sales team), etc...

So yes, they paid the ransom. at the end of the day it was an obvious and a simple choice.
 

Re:They paid the ransom.

[nukenerd]

Thank you for that, Captain Obvious, but you didn't answer the main question - did they get their data back?

Re:They paid the ransom.

Of course they got their data back.
SamSam doesnt work if the victims don't get their data back, Captain Obvious!

Re:They paid the ransom.

in typical cases they know where your backups are and they encrypt those too

Yeah, if you're a worthless fucking idiot who doesn't airgap your backups.

Put the data on external drives, remove the drives, put them in a fireproof safe high above sea level, preferably off-site. How goddamn hard is this for corporate IT managers to figure out?

How do you trust them to give your data back?

Someone evil enough to encrypt your data seems evil enough to take your money and run without giving you the decryption key.

C&C servers used to block in hosts

0.0.0.0 www.joaomatosf.com
0.0.0.0 joaomatosf.com
0.0.0.0 www.anonyme.com
0.0.0.0 anonyme.com
0.0.0.0 partner.xdedic.biz
0.0.0.0 xdedic.biz
0.0.0.0 xdedic.tk
0.0.0.0 e-investhost.com
0.0.0.0 viagra-purchase.org
0.0.0.0 wertor.info
0.0.0.0 omerta.cc
0.0.0.0 pharmaplus.biz
0.0.0.0 qualitypillsnorx.com
0.0.0.0 omertadns.biz
0.0.0.0 cc101.biz
0.0.0.0 raw.githubusercontent.com
0.0.0.0 githubusercontent.com
0.0.0.0 q968787.ignorelist.com
0.0.0.0 q968787.mooo.com
0.0.0.0 q968787.homenet.org
0.0.0.0 q968787.strangled.net
0.0.0.0 q96b7b7.ignorelist.com
0.0.0.0 q96b7b7.mooo.com
0.0.0.0 q96b7b7.homenet.org
0.0.0.0 homenet.org
0.0.0.0 q96b7b7.strangled.net
0.0.0.0 ignorelist.com
0.0.0.0 mooo.com
0.0.0.0 homenet.org
0.0.0.0 strangled.net
0.0.0.0 evilsecure9.wordpress.com
0.0.0.0 union83939k.wordpress.com
0.0.0.0 key88secu7.wordpress.com
0.0.0.0 payforsecure7.wordpress.com
0.0.0.0 keytwocode.wordpress.com
0.0.0.0 lordsecure4u.wordpress.com
0.0.0.0 followsec7.wordpress.com
0.0.0.0 secangel7d.wordpress.com
0.0.0.0 zeushelpu.wordpress.com

APK

P.S.=> The source article leads to TONS of others to get that list (was quite the merry chase) but there you are... apk

For multiplatform comprehensive protection

For the BEST possible hosts file vs. this & other exploits/threats? Accept NO substitute for APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between characters & download) OR APK Hosts File Engine 9.0++ SR-1 32/64-bit for Windows https://www.google.com/search?...

APK

P.S.=> Most all of what's in my parent post was long ago blocked vs. SamSam because of it (a couple are also sinkholed dead) ... apk

Re:For multiplatform comprehensive protection

Are you at all capable of NOT spamming your shitty apps?

execute them

[mapkinase]

I am a firm believer that anybody involved in organized crime should be executed.

Re:execute them

[gnick]

First let's focus on not re-electing them.

MICROS~1 Windows strikes again :]

[najajomo]

"The attacker or attackers use a variety of built-in Windows tools to escalate their own privileges, then scan the network for valuable targets .. All tools in this list are publicly available. Most of them are free open source software."

The solution being to ban all this open source socalist software from the Intertubes :]

Impersonating me? Ok... apk

1st: You're NOT me (but wish you were) & I'm NOT here to win a "popularity contest": I'm here to WIN so EVERYONE DOES & be faster/safer/more reliably connected online.

Your CRAP's what I PUT UP W/ when one's "World-Class" (like ME): STALKERS stalking u by UNIDENTIFIABLE ac (everyone sees IT constantly happening & I suspect it's INFERIOR competitors, webmasters & advertisers (mostly) & lastly malware makers (as my hosts engine affects 'em adversely & gives users of it more SPEED/SECURITY/RELIABILITY & more anonymity online)).

My "portrait" https://365songsblog.files.wor... (lol) so

* Satan GET THEE BEHIND ME!

APK

P.S.=> 3 things show I do it right:

1st = User praise my hosts engine https://tech.slashdot.org/comm...

2nd "ATTACKS" I GET (from UNIDENTIFIABLE ac as Elon Musk got https://tech.slashdot.org/stor... )

3rd BEING IMITATED = "Imitation = sincerest form of flattery" https://linux.slashdot.org/com... ... apk

Impersonating me AGAIN? Ok then... apk

1st: You're NOT me (but wish you were) & I'm NOT here to win a "popularity contest": I'm here to WIN so EVERYONE DOES & be faster/safer/more reliably connected online.

Your CRAP's what I PUT UP W/ when one's "World-Class" (like ME): STALKERS stalking u by UNIDENTIFIABLE ac (everyone sees IT constantly happening & I suspect it's INFERIOR competitors, webmasters & advertisers (mostly) & lastly malware makers (as my hosts engine affects 'em adversely & gives users of it more SPEED/SECURITY/RELIABILITY & more anonymity online)).

My "portrait" https://365songsblog.files.wor... (lol) so

* Satan GET THEE BEHIND ME!

APK

P.S.=> 3 things show I do it right:

1st = User praise my hosts engine https://tech.slashdot.org/comm...

2nd "ATTACKS" I GET (from UNIDENTIFIABLE ac as Elon Musk got https://tech.slashdot.org/stor... )

3rd BEING IMITATED = "Imitation = sincerest form of flattery" https://linux.slashdot.org/com... ... apk

Registered /.ers DISAGREE w/ you... apk

Your software is just fine - well written, functional... I'm going to continue using the Host File Engine by mmell February 17, 2017

Your premise that hostfiles are a good way to deal with advertising and malvertising is quite valid - by JazzLad April 20, 2016

his hosts program is actually pretty good by xenotransplant August 10 2015

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg September 25 2015

I like your host file system by Karmashock September 09 2015

that APK guy, I use his host file by rogoshen1 Tuesday March 03, 2015

I personally use a HOSTS file blocker produced from a genius called APK by 110010001000 October 27 2017

* Want more? Ask - & YOU've done BETTER?

APK

P.S.=> See subject UNIDENTIFIABLE anonymous STALKER - you FAIL... apk

APK needs to understand this

Obligatory XKCD that you need to read and understand.

Re:APK needs to understand this

You just don't like that slashdotters put you in your place disagreeing with you https://it.slashdot.org/commen...

You've made me understand 1 thing (lol)

See subject: YOU can't prove you do BETTER work than I do - I offer you the fair chance to do so & you FAIL, jealous blowhard!

* Keep "STALKING" me via UNIDENTIFIABLE anonymous posts - you're doing WONDERS for me making ME look GOOD & yourself? Well, you know - you prove you're a BLOWHARD do-NOTHING "ne'er-do-well" in comparison to myself.

APK

P.S.=> Offer still stands for YOU to personally show w/ YOUR OWN CODE (not OpenSORES thievery) you do work even /.ers like & use speaking well of as they do MY work (& I can produce MANY MORE such testimonials from our /. REGISTERED peers, not UNIDENTIFIABLE little JEALOUS "jowie' WORMS like you - lol)... apk