Dubai: Ransomware has been creating havoc globally across various sectors.

SamSam malware, first seen in late 2015, has amassed $5.9 million (Dh21,667,750) since 2016, Sophos research revealed.

The hackers have impacted operations of some large organisations, including hospitals, schools and cities globally, and have received ransom payments as high as $64,478 (Dh236,795), based on analysis of ransom payments to the Bitcoin wallets tracked by the security company.

Peter Mackenzie, global malware escalations manager at Sophos, told <Gulf News> that 74 per cent of the known victims are based in the US, followed by the UK with eight per cent, Belgium with six per cent and Canada with five per cent. One per cent of the victims in the UAE have fallen prey to the malware, but it’s not sure how much ransom has been paid.

Malware mayhem

Unlike most ransomware which is spread over spam emails, he said that SamSam hackers attack a network manually.

“Depending on the access they have, they can stay on the network for hours or days. They scan the network to see how many computers are online and how many machines they can access. They drop a text file into all the machines it has access to and builds up a list of the machines.”

When they are ready, he said that they activate the malware when enough of the network is geared up to be encrypted. Mackenzie said that the encryption usually happens late at night, when victims are not monitoring their network in real time and the attacks are tailored to cause maximum damage.

Wannacry, a network worm and malware which attacked many computers in 2017, grew huge so quickly but Mackenzie said that SamSam does not spread at all and has made more money than Wannacry. “It is used in targeted attacks and each attack is very controlled. If the process of encrypting data is interrupted, then the malware comprehensively deletes all trace of itself immediately, to hinder investigation,” he said.

Moreover, he said that cybercriminals have become more sophisticated and better resourced and they are more patient and will look to target businesses with higher ransoms. He added that every subsequent attack has shown a progression in sophistication and an increasing awareness of how to evade operational security.

Sophos estimates that the SamSam attacker earned an average of under $300,000 per month in 2018, and payments are made by victims in bitcoin via a custom “payment site” on the dark web that is at a unique address for each victim organisation.

Mackenzie said that SamSam encrypts not only document files, images and other personal or work data, but also configuration and data files required to run applications such as Microsoft Office.

“Recovery may require reimaging and/or reinstalling software as well as restoring backups,” he said.

Mackenzie said there have an increase in coin mining but ransomware is still huge and it is not going away.