How the Dark Web and Bitcoin Are Helping Keep ‘SamSam’ Ransomware Hidden

Published on:
Ransomware written on metallic keyboard.
A look at how Bitcoin and the dark web aid the malicious SamSam ransomware in evading tracking from authorities.

In the ever-changing world of cybercrime, the issue of malware has extensively been studied and researched by cybersecurity experts from all over the world.

However, in as much as considerable progress has been made on this field, there is one case that continues to baffle researchers and cyber threat experts.

This is the case of SamSam, an elusive malware whose precise and meticulous ways of operation has accorded it great popularity amongst cybersecurity experts and enthusiasts alike.

Since its inception in December 2015, the methodical malware colloquially known as SamSam has continued to wreak havoc by terrorizing high-level organizations’ networks and asking for pricey ransoms in exchange for decryption software for two years.

Why SamSam Stands out from the Rest

SamSam is far from your average ransomware. It has some special qualities that set it apart from the flock.

Its unique ways have proved to be overly successful in its operations and have made it elusive to authorities.

Your TOR usage is being watched

One such disparity from most ransomware is its targeted attacks on specific victims whereby an attacker gains access to a victim’s network, surveils it and then manually operates the ransomware.

Most ransomware play a game of numbers whereby they target hundreds of thousands of people.

Their strategies are often to raise cash through large sums of relatively small ransoms.

But SamSam identifies specific targets and capitalizes on the opportunity by asking for five-figure ransom payments.

In addition, unlike other major ransomware attacks, like WannaCry, SamSam is not transmittable by itself from one machine to another.

Rather, it relies on the skill of a human attacker to spread it as they surveil the target.

SamSam’s attacks are also not as frequent as other traditional ransomware—they seem to be extremely calculated and precise.

Once it infects the targeted machine, files are encrypted in a quick, yet highly damaging manner.

Due to this fact, details about its inner workings have remained shadowed since its inception.

Perhaps the most common way in which SamSam attacks is by gaining entry to targets’ systems through Remote Desk Protocol (RDPs).

Red sticky note pasted on a keyboard.
Most ransomware play a game of numbers whereby they target hundreds of thousands of people.

This is a proprietary protocol which provides the user with a graphical interface to access a different computer through a network connection.

Companies employ this technology to allow employees to connect remotely to their devices.

Once this is done, the rest is just a matter of exploiting the weak passwords with readily available underground software.

SamSam’s main domain of payment is the dark web.

The victim is directed to a darknet site, accessible via the Tor browser, where instructions to purchase Bitcoins and pay the attacker are availed in a discreet but open conversation.

This happens in plain sight and the cash transfers are visible in real time by both parties (the attacker and the victim).

The question then is how does SamSam carry out its operations in plain sight and still manage to avoid and escape the prying eyes of the authorities?

Bitcoin’s Role in Keeping SamSam Running

Bitcoin is the only mode of payment that SamSam recognizes.

Bitcoin blockchain users are represented by one or more addresses which are heavily encrypted with strings of letters and numbers.

Bitcoin is available for anyone to purchase and with the aid of specialized software, anyone can view the transactions stored within the blockchain database.

SamSam benefits from the fact that anyone can observe how much has been transferred from one address to another, but the Bitcoin blockchain has no record of who owns which address and how many addresses they own, due to its decentralized nature.

The trade of Bitcoins for cash and good equivalents can create a link between an anonymous Bitcoin user and a real person (when it comes to good delivery address), but SamSam seems to be one step ahead of its adversaries as it uses tumblers (a complex form of Bitcoin laundering).

When Sophos, a cybersecurity firm leading SamSam investigations, partnered with a big data analytics firm called Neutrino, they were able to discover that the total sum that SamSam has made over the course of its attacks is nearly $6 million and not the previously suspected $1 million.

This goes to show the gravity of SamSam’s operations.

Bitcoin mining.
Bitcoin blockchain users are represented by one or more addresses which are heavily encrypted with strings of letters and numbers.

With the incoming big data advancements, however, there is a possibility that the key privacy protections of Bitcoin will be diluted as it the case with Monero, a cryptocurrency that claims to be more secure than Bitcoin.

SamSam and the Dark Web

In addition to the transparent exchange of digital currency from victim to attacker, SamSam also has the tendency of maintaining interactions with the victim through dark web sites where, upon the fulfilment of the attackers’ requests, the victim may access the decryption software.

SamSam offers a number of alternatives to the victim:

  1. Upon payment of the full requested sum, all the infected computers are decrypted.
  2. Half the computers can be decrypted upon payment of half of the requested sum.
  3. One computer can be decrypted for .8 Bitcoin (as of June 2018).
  4. Two files can be decrypted for free to prove that the encryption works.
  5. Any computer can be decrypted if the attacker deems it unimportant.

When SamSam began, it used single-use websites on and to maintain some level of anonymity.

Currently, it has shifted its operations and it now runs in the overlapping and interwoven embers of the dark web through the Tor network.

The dark web has proved to be very useful to many cybercriminals as hides the client IP address through a complex array of encryption and a series of intermediary networks.

This helps strengthen anonymity because, in the absence of an IP address, it is difficult for law enforcement to identify the user’s location.

This, however, does not mean that SamSam is entirely exempt from danger. Many dark web drug trafficking rings, fraudsters and hackers have been and continue to be apprehended by authorities.

Although the Tor browser guarantees some considerable level of anonymity, it does not mean that it completely safeguards one’s privacy.



With the urge to know more about everything around us, I am an enthusiast researcher and writer with keen interest in expanding my knowledge in a bid to be well versed. Through writing, I express and share my feelings, ideas, and thoughts for like minded individuals.
Write for us


The articles and content found on Dark Web News are for general information purposes only and are not intended to solicit illegal activity or constitute legal advice. Using drugs is harmful to your health and can cause serious problems including death and imprisonment, and any treatment should not be undertaken without medical supervision.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.