Users of BTC coin are out $6 million. This is according to cybersecurity company Sophos, who recently published a 47-page report on the SamSam ransomware. Sophos revealed that the creator of the ransomware has collected a total of $6 million since the malware was first seen in 2015. The report is said to be one of the most comprehensive looks at the SamSam ransomware. It was written based on information gathered from a number of sources, included testimonials by the victims, researchers from previous attacks and from samples of cryptocurrency mining data. After compiling all of the information, Sophos has been able to produce in-depth analysis on the proliferation of SamSam ransomware and how its creator, or creators, were able to grab BTC from a total of 233 victims. Normally, hackers will send mass emails to try to spread malware or ransomware as quickly as possible. However, SamSam ransomware took a different approach. Those behind the ransomware painstakingly selected one victim at a time, exploiting a vulnerability in JBOSS, an open-source application server program that allowed the attacker to gain computer privileges that resulted in the ability to copy the ransomware onto the network. JBOSS developers were able to patch the coding flaw. However, this wasn’t a deterrent for the SamSam ransomware creators. They began using the dark web to purchase lists of servers who were still vulnerable, subsequently launching brute force attacks on those vulnerable targets until they gained entry. Once inside, a whole suite of hacking tools was used to give the attacker(s) more system privileges until they become domain administrators. They would then scan the network to find a target computer and deploy the ransomware on the machine via authorized Windows network administrator tools like PsExec. After that, the individual, or individuals, behind SamSam only had to sit back and wait for night to fall or the weekend to roll around. The SamSam code was launched, encrypting the computer and leaving a ransom note. To keep tracing the BTC payment trails, Sophos teamed up with Neutrino to comb through BTC transaction records. The two firms were able to track each BTC transaction to locate victims and funds that didn’t show up in earlier reports. By the time the research was complete, 157 unique BTC addresses had been identified as having received ransom notes. There were another 89 addresses that were mentioned in notes, but which didn’t earn any crypto. Three wallets were identified as being part of the SamSam ransom project, one of which still remains active today. A total of eight addresses have sent payments to this address since it was created. The analysis reveals that SamSam ransomware isn’t going away, either. It is getting stronger and is being evolved almost constantly to make it more difficult to control. According to Sophos, “Since the end of 2015. SamSam has evolved to focus on two main objectives: First, to improve the deployment method so that the impact on victims is greater; Second, to make the analysis of the attacks harder, further helping to keep the attacker’s identity a secret.” There is still a great deal of debate about who is behind SamSam, and whether or not it is a single individual or a possible criminal organization. At some point, as always, someone will slip up and the truth will come to light.