SamSam is a ransomware family, also known as Samas and SamsamCrypt, first launched in 2015 by Iranian threat actors. It is described as a targeted, manually operated ransomware rather than a spray-and-pray campaign. Operators typically gain initial access by exploiting vulnerable internet-facing services or through RDP brute-force activity; reporting in the content specifically links SamSam to attacks against vulnerable JBoss servers in spring 2016 and notes use of weak or infrequently changed passwords and unpatched systems. After access, the operators escalate privileges to administrator level, conduct internal reconnaissance, and manually deploy the ransomware using tools such as PsExec or PaExec. SamSam does not spread automatically like many other malware families.
Its primary impact is file encryption for extortion. The content states SamSam encrypts victim files using RSA-2048 and demands payment in Bitcoin for decryption. It has been observed encrypting data on victim systems and has been seen deleting its own files and payloads to hinder analysis. The malware has affected thousands of victims and reportedly generated nearly $6 million in ransom payments. Splunk detections in the content associate SamSam-related file extensions including .stubbin, .berkshire, .satoshi, .sophos, and .keyxml, and note creation of a test.txt file in Windows\System32 as indicative of propagation activity.
The malware is associated with targeted attacks against larger organizations and critical infrastructure. The content states the group behind SamSam emerged as the first to consistently conduct targeted attacks against critical infrastructure and larger corporations, including government entities and healthcare organizations in the United States and Canada. Mentioned victim organizations and incidents include Hollywood Presbyterian Medical Center, Hancock Regional Hospital in January 2018, Allscripts data centers in Raleigh and Charlotte in January 2018, and the City of Atlanta attack that experts said bore the hallmarks of SamSam.
The content also notes legal and policy context around the malware: in 2018, two Iranian men were indicted for allegedly using SamSam for extortion, and OFAC sanctions guidance has specifically referenced actors linked to SamSam.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
13 distinct techniques documented for this family, organized by ATT&CK tactic.
APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution. Blue Mockingbird has used batch script files to automate execution and deployment of payloads. During HomeLand Justice, threat actors used Windows batch files for persistence and execution.
The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.
Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'
Description Manual generation of samsam ransomware file extension MITRE ATT&CK Techniques Environment Details Datasets The following datasets were collected during this attack simulation: Windows-Sysmon Path: /datasets/attack_techniques/T1036.003/samsam_extension/windows-sysmon.log
The provider argued that as SamSam ransomware has been a known threat since 2016, the company should have audited or monitored its systems to prevent the attack. | Allscripts went down on Jan. 18, after two of its data centers in Raleigh and Charlotte, North Carolina fell victim to SamSam ransomware.
31 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Samas is described as ransomware, discussed in the context of multiple incident response engagements and analysis of the attack chain leading to ransomware deployment.
SamSam is ransomware that encrypts files and demands payment from victims.
Ransomware family referenced as an associated analytic story for detection of common ransomware file extensions.
SamSam is referenced as a ransomware family in the associated analytic story context.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.