Less than three months into her job as newly elected mayor of Atlanta, Keisha Lance Bottoms' city was starting to crumble. The court system cancelled appointments, 90 per cent of computers at the Department of Public Works were inaccessible, and years of dash cam video captured by police was lost.

The city was under siege. “We are dealing with a hostage situation,” Lance Bottoms told reporters at a press conference. On March 22, hackers activated ransomware inserted into Atlanta's computer infrastructure and demanded $50,000 be paid in bitcoin for systems to be returned to normal. Five days later 8,000 city employees were told they could reboot their machines but major problems, including payments for services, were still being complained about a month later.

Atlanta was one of hundreds of public sector organisations and businesses to be targeted by malware from the SamSam group of hackers. While Atlanta decided not to pay, SamSam is making around $330,000 per month and has amassed almost $6 million since it was first seen in 2015, new research from cybersecurity firm Sophos has revealed.

The city of Atlanta isn't alone. SamSam forced the Colorado Department of Transportation to shutdown more than 2,000 machines and forced an Indiana hospital to lose access to patient histories and appointment schedules. There's one new SamSam ransomware victim each day, estimates Peter Mackenzie, Sophos' global malware escalations manager.

"This is controlled via a small group of people, it's manually deployed on a victim's network after they've hacked their way in, which is quite different to the majority of ransomware," Mackenzie says. Sophos has found 233 victims who have paid SamSam ransoms, with 74 per cent of these based in the US. Organisations in the UK, Canada and Middle East have also been targeted and the largest ransom paid is $64,000.

But there's isn't anything particularly sophisticated about SamSam's code. "There's no automation involved in it but what they do is old-school hacking," says Jake Williams, the founder of Rendition Infosec, which is based in the US state of Georgia. Unlike the massive WannaCry ransomware attack of 2017 – which lefts hundreds of UK hospitals and GPs out of action – SamSam is manually operated.

WannaCry spread through IT networks as a worm and encrypted files as it moved. Whereas the SamSam ransomware is inserted by its operators into systems and turned on when enough of the network is primed to be encrypted. Williams says he's seen evidence of hackers sitting inside networks for up to 60 days before activating the malware. "The ransomware itself isn't very sophisticated but the technique they use to achieve maximum damage mimics what we see with some of our advanced threat adversaries," he adds. As SamSam doesn't start encrypting files as soon as it is inside the network it can be hard to detect.

"They're generally going for low hanging fruit," Mackenzie says. Atlanta can be included in that category. Internal city documents obtained by local news outlet CBS46 warned officials there were a "large number of severe and critical vulnerabilities" that people had become "complacent" about and hadn't taken action.

Williams says the City of Atlanta had its systems infected a year before SamSam by the Eternal Blue exploit, which was used to help spread the WannaCry and NotPetya ransomware. "There were at least five servers belonging to the City of Atlanta and they were infected in April 2017," he says. In response to the cyberattacks, the City of Atlanta spent $2.6m to respond to the $52,000 ransom.

What stands out about SamSam is its ability to operate outside the reach of law enforcement. Since its emergence in 2015, when its first beta software was spotted, there hasn't been a positive identification of who is behind it. The FBI issued a flash alert in 2016 asking for businesses to help it with information about the ransomware (which was at the time referred to as Samas). The FBI said the ransomware allowed criminals to "demand considerable sums of money in return for decryption keys".

Security companies, including Sophos, have predicted SamSam is made up of a very small group of cybercriminals or even an individual hacker. "We don't believe they're a native English speaker," Mackenzie says. There are consistent spelling mistakes within the ransomware code – dark red is drak red, capital letters often follow commas in ransom notes and help files provided to assist people making payments. Personal touches have also been left in the wake of SamSam, initially encrypted files were renamed as HELP_DECRYPT_YOUR_FILES.html and now they're often called SORRY-FOR-FILES.html.

SamSam is now on the third version – and it's improving. It now encrypts files late at night when victims won't be at work to monitor their network in real time. Ransom notes and bitcoin payment websites, hosted on the Tor network, have been unique to each victim and if the encryption process is detected it self-destructs and leaves little evidence to be analysed.

"Unlike some threat actors out there who talk about their exploits on dark web forums or even on Twitter, these people don't do that. They don't brag. They don't post anything," Mackenzie says. "They don't seem to communicate with any other groups that we've been able to identify. They also don't seem to do anything else, it seems SamSam is the full time job for them." Mackenzie adds that he has seen SamSam change the arbitrary file extensions it uses from .stubbin to .berkshire, .satoshi, and in July this year it started to use .sophos.

"The skills have definitely improved. How they hide who they are, how they hide what their code is doing, making it harder to get hold of sample files is stuff they've been improving constantly," Mackenzie says. "We can only assume the way they're deploying the ransomware is going to become more efficient and more hidden."