SamSam and Matrix: The Latest in Ransomware Threats

Infosec experts expected 2019 to see a lessening in ransomware attacks — and so far, they’ve been terribly, terribly wrong. Just one month into the year, a tsunami of new ransomware has appeared around the web, threatening the safety of devices everywhere, from workplace computer networks to smart homes and beyond.

While there are too many variations in recent ransomware threats to name and explain them all, there are two major developments you need to know about: SamSam and Matrix. What they do, where they come from, and what they want — as follows.


The vast majority of malware is of the passive variety; that is, it lurks online, waiting for any random user to make a mistake — click a corrupted link, open a corrupted file, etc. — and only then does it attack. SamSam, however, is different. SamSam is a custom ransomware infection used in targeted attacks, meant to bring down specific victims viciously and ruthlessly.

The SamSam attack typically starts with a simple and well-known vulnerability, perhaps in remote desktop protocols, Java-based web servers or file transfer protocol servers, but the malware has also been known to brute-force its way through weak passwords to gain an initial foothold on a network or device. From there, the devastating ransom begins.

Read Also : free edu email

The malware encrypts every piece of data it can find, and then it sends a ransom splash screen informing victims of what has occurred and how they can regain their data. It’s noteworthy that this ransom note is unusually polite, providing ample information on the style of encryption (RSA-2048, which requires a key for encryption and another key for decryption) and apologizing profusely for the inconvenience.

The attackers also offer a “goodwill” key for free to prove that they will return all data when properly paid in Bitcoin — but this is popular a tactic used by other ransomware to convince victims to make payments instead of trying other methods. With SamSam, it works; the ransomware has generated over $850,000 in profit, and few users know much (if anything) about it.

SamSam has been around since late 2015, but it didn’t start making waves until 2017. Now, in 2019, SamSam is suddenly stepping into the limelight. Throughout 2018, SamSam successfully struck large institutions, including hospitals and city agencies, like the Colorado Department of Transportation and the City of Atlanta. The average ransomware victim can use ransomware removal software to clean one or two devices of infection, but in most SamSamcases, victims have chosen to pay the ransom, given that it is much less expensive than other fixes at such a significant scale.

Because SamSam is just gearing up — and because the ransomware is proving so unstoppable once it infects a system — it’s unlikely that it will disappear any time soon. The best action against SamSam is a strong defense: up-to-date software, strong passwords, backed-up data and training to recognize the signs of threats.


Another ransomware threat looming large on the cyber landscape is Matrix, which could not be more different from SamSam. Unlike SamSam, Matrix does not spread through organizations, and it is not professional in its demands. In fact, one a device is infected, victims must contact the attackers with examples of their encrypted files, so attackers can then calculate the ransom amount and furnish a Bitcoin address. Worse, when victims don’t seem likely to comply with the attackers’ requests, the authors seem to become desperate, dropping their rates significantly and pleading for the ransom. It’s a disorganized system that doesn’t encourage victims to pay.

Matrix is best described as a copycat malware because it takes toolkits that are effective in other ransomwares and uses them for its own gain. Also called the “Swiss Army knife” of ransomware, Matrix is equipped with dozens of executable bundles to rely on when it finds itself in different situations. The discrete elements are cobbled together rather haphazardly, convincing most infosec professionals that Matrix won’t be easy to defeat — except that Matrix doesn’t appear very often, so there are only a handful of variants to study and develop solutions for.

Read Also : task manager mac

Thus far, only 96 Matrix attacks have occurred since late 2016, making Matrix veritably rare. Worse, Matrix doesn’t seem to have a geographic distinction: While most victims encounter the malware in The U.S., that amounts to only about 27 percent; nearly as many attacks took place in Belgium, Taiwan, Singapore, Germany, Brazil, Chile, South Africa and the U.K. Because few infections take place in former Soviet nations, it seems most likely that the authors are located there.

Because Matrix is much more ramshackle than SamSam (and many other ransomwares, for that matter) it is much easier to defeat once infection takes place. Still, Matrix continues to evolve, meaning it could be some time befoe it disappears from the landscape entirely.