SamSam Ransomware

A recent report by cyber security company Sophos has shed further light on SamSam – its evolution, the revenue it has generated and details of the attacker(s), who is yet to be identified. Key findings from Sophos include:

  • SamSam has earned more than $5.9m (£4.5m) from ransom payments since late 2015. The attacker’s revenue now averages around $300,000 (£250,000) per month.
  • Most of the known victims are based in the United States (74%), but other regions are known to have suffered attacks, including the UK (8%).
  • Medium to large public sector organisations in healthcare, education, and government account for about 50% of the total number of known victims, with the rest in unidentified parts of the private sector.
  • The ransom demands have increased considerably, and the tempo of attacks shows no sign of abating.
  • The attacker is thorough and consistent in covering their tracks and making analysis difficult.


3cbddf5f027b19e55366ecc0fd287f31379175a0 – z2.exe
Contains garbage code. Calls the decryption function from sdgasfse.dll.
a1ab74d2f06a542e77ea2c6d641aae4ed163a2da – mswinupdate.exe
Contains no garbage. Calls the decryption function from ClassLibrary1.dll
138c3aae51e67db0c4134affae428fe91c0d1686 – sdgasfse.dll
4d7a60bd1fb3677a553f26d95430c107c8485129- ClassLibrary1.dll
TOR site:
BTC Wallet:

The SamSam campaign operates differently from most ransomware threats. Most malicious actors perform mass distribution schemes to spread ransomware through email spamming or malware-infected adverts. In the case of SamSam, the attacker is patient, persistent and selective, targeting one victim at a time.

The best way for organisations to protect themselves against SamSam, and many other attacks, is to reduce their threat profile and not be an easy target in the first place.

Further details :

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: