PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

SamSam Ransomware Hackers Rake in $5.9 Million

Sophos came to the $5.9 million figure by identifying which Bitcoin addresses the hackers had been using to receive the ransom payments. In total, they identified 157 unique addresses and estimate 233 victims gave in to the ransom demands.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

The SamSam ransomware may have made its creators quite rich.

New research from the security firm Sophos estimates the notorious ransomware strain has raked in $5.9 million by infecting computers and holding the data inside hostage.

Sophos came to the $5.9 million figure by teaming up with a cryptocurrency monitoring provider called Neutrino to identify which Bitcoin addresses the hackers had been using to receive the ransom payments. In total, they identified 157 unique addresses, and estimate that 233 victims gave in to the ransom demands since the malicious coding arrived on the scene back in late 2015.

For the uninitiated, ransomware attacks work by encrypting all the data inside a computer and then threatening to delete it unless the victim pays up, usually in Bitcoin. SamSam most recently grabbed headlines for crippling the IT systems of Atlanta's city government. In that attack, the hackers demanded a payment of $51,000 to unlock all the computers infected with the ransomware. Earlier this month, the SamSam strain also attacked LabCorp, a major provider of clinical lab testing.

SamSam Ransomware

Why does SamSam keep infecting computers? According to Sophos, the hackers have been targeting Windows computer that can be accessed online over Microsoft's Remote Desktop Protocol (RDP). Unfortunately, simply entering the right password is sometimes all you need to break into these computers.

"SamSam usually succeeds when the victim chooses a weak, easily guessed password," Sophos said in its report. Computers with RDP-enabled can also be exposed on the open internet, making them easy to find over a search engine such as Shodan.

Recommended by Our Editors

Google Will Soon Spot Fake Calls on Supported Android Phones
Google Will Soon Spot Fake Calls on Supported Android Phones
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Report Cites Misinformation As Key Threat to Election Security, Doesn't Name the Biggest Offenders
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts
Meta's AI Chatbot Allegedly Helped Hackers Hijack Instagram Accounts

Once access is gained, the hackers can proceed to scan the victim's networks for other computers and decide how to go about spreading the SamSam ransomware.

Sophos has collected the ransom notes used in previous attacks and found that over time SamSam's creators have been demanding higher and higher sums from their victims. Starting in early 2016, the crooks were only demanding from between $9,600 to $18,700. However, lately, the hackers have been wanting closer to $40,000.

According to Sophos, the SamSam ransomware will try to infect a new victim about once a day; the attack itself will usually occur late at night when employees are off work and sleeping. Although the creators of SamSam are still unknown at this point, they've largely been targeting victims in the US, including governments, health care providers, in addition to private businesses.

"The cost victims are charged in ransom has increased dramatically, and the tempo of attacks shows no sign of slowdown," Sophos warned.

The security firm's report and a separate blog post feature tips on how organizations can protect themselves from the SamSam ransomware strain. They include placing better protection around computers capable of remote access online, such as multi-factor authentication and requiring a VPN connection to use them.

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio