Over the last 12 months, the cybercriminals behind a SamSa ransomware campaign targeting primarily healthcare organizations have raked in at least $450,000 in ransom payments, according to an analysis by Palo Alto Networks' Unit 42 threat research team.
Unit 42 based its estimate on an analysis of samples that Palo Alto has collected since SamSa – also known as Samsam – was first discovered in December 2015. Because SamSa's executables often contain the Bitcoin Wallet address that victims use to pay ransom, researchers were able to monitor the samples' transaction histories and arrive at a figure totaling 607 Bitcoins, which translates to roughly $450,000 using the current exchange rate.
SamSa's actual profits are probably much higher, Palo Alto added, because the company was unlikely to have collected all the samples circulating in the wild, and cybercriminals also sometimes take steps to artfully conceal payment details.
Since March 24, 2016, Palo Alto has counted 24 unique SamSa samples containing 19 unique Bitcoin addresses, 14 of which have received payments. Payment activity was especially heavy from March through May.