|Enterprise||T1059||.003||Command and Scripting Interpreter: Windows Command Shell||
SamSam uses custom batch scripts to execute some of its components.
|Enterprise||T1486||Data Encrypted for Impact||
SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files.
|Enterprise||T1070||.004||Indicator Removal: File Deletion||
SamSam has been seen deleting its own files and payloads to make analysis of the attack more difficult.
|Enterprise||T1027||Obfuscated Files or Information||
SamSam has been seen using AES or DES to encrypt payloads and payload components.
SamSam has used garbage code to pad some of its malware components.