Sophos was able to identify at least 233 victims that paid the ransom and noted that the average amount demanded to unlock machines ballooned over time to around $50,000 -- "vastly more than the three figure sums typical of untargeted ransomware attacks." The total proceeds, $5.9 million, dwarf previous collection estimates of around $850,000.
The report also notes that the party behind SamSam grew more cautious over time. The ransomware saw three major revisions, each adding additional protection measures such as hex coding, garbage code to bypass automated detection systems and an encrypted payload activated by a password.
There are also signs that SamSam was developed by a single individual. As the report states, "The consistency of language across ransom notes, payment sites, and sample files, combined with how their criminal knowledge appears to have developed over time, suggests that the attacker is an individual working alone." It added that "the attacker's language, spelling and grammar indicates that they are semi-proficient in English but they frequently make mistakes."
Despite heavy investigation, cybersecurity firms and law enforcement have been unable to find any clues that lead back to SamSam's creator. Only 86 of the 233 victims identified by Sophos have gone public with the fact they paid a ransom, which allowed Sophos to create profiles on the targets. The rest of the known victims, predominantly from the private sector, have "remained uncharacteristically quiet" about the attacks -- no doubt because they're embarrassed that their shoddy security has helped turn one nefarious individual into a millionaire.