The SamSam ransomware has grossed its creator over $6 million in Bitcoin since late 2015, according to research from cybersecurity firm Sophos.

The UK-based cyber-security firm published its findings in what is believed to be the most comprehensive research on the SamSam ransomware. The study is based on the data collected by the researchers from the SamSam’s past attacks, victims’ testimonies, and data mining samples. The outcome is a 47-page report that contains a detailed analysis on how the attacker(s) targeted, and siphoned off ransoms from some 233-victims in total.

One Victim at a Time

Sophos study finds that the SamSam operated differently than most of the ransomware threats. In general, hackers perform mass-distribution schemes to spread ransomware through email spamming, phishing websites, or malware-enabled advertisings. But in the case of SamSam, the attacker(s) selected one victim at a time. Initially, they exploited vulnerabilities in JBOSS systems to earn privileges that would enable them to copy their ransomware into the network.

Once the JBOSS team fixed the vulnerability, the attacker(s) moved to the internet for allegedly purchasing lists of vulnerable servers, with insecure RDP connections, from the dark web. They launched brute force attacks on machines with relatively weak credentials; thereby, gaining access to the network.

Upon gaining the network access, the attacker(s) use a bunch of hacking tools and spent days to elevate their privileges to the point when they assume the role of a domain admin. They follow up by scanning the network for target computers, find it, and deploy the malware using legitimate Windows network administration tools such as PsExec.

Once SamSam operator(s) gain access they need, they wait for nighttimes or weekends to launch the SamSam code via the hacked servers into the victims’ machines – single or bulked workstations. And as any ransomware would behave, SamSam too encrypts PC’s data, leaving behind a ransom note for the victim.

Bitcoin Data Collection

Sophos researchers also partnered with Neutrino, a digital currency and blockchain data monitoring firm, to look into SamSam’s Bitcoin transaction records. The pair trailed each Bitcoin transaction to find victims – and funds – that were missing in the earlier reports.

In total, Sophos and Neutrino identified 157 unique Bitcoin addresses that received the ransoms. The combinative study also found 89 Bitcoin addresses that were mentioned on ransom notes but didn’t earn any money down the road. Overall, the SamSam operator(s) used three wallets, out of which only one is active to this date. This mobile wallet has received payments from 8 different addresses to this date.

Since 2016, the SamSam operator has made around $300,000 every month from its victims, which happens to include some high-profile targets from healthcare and government. However, Sophos study finds that the private sector has suffered the most. In another revelation, 74% of the victims belong to the United States, while and the UK and Canada follow with 8% each.

SamSam Getting Stronger

Sophos report also mentions the evolution of the SamSam ransomware, with each upgrade receiving better protection to keep security researchers in a blindfold. The study mentions a possibility that the SamSam ransomware now uses stronger obfuscations for its code while conducting all the financial transactions in the dark web. It reads: