SamSam is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.[1][2][3][4]

ID: S0370
Associated Software: Samas
Platforms: Windows
Version: 1.0
Created: 15 April 2019
Last Modified: 18 April 2019

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

SamSam uses custom batch scripts to execute some of its components.[3]

Enterprise T1486 Data Encrypted for Impact

SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files.[3]

Enterprise T1070 .004 Indicator Removal: File Deletion

SamSam has been seen deleting its own files and payloads to make analysis of the attack more difficult.[3]

Enterprise T1027 Obfuscated Files or Information

SamSam has been seen using AES or DES to encrypt payloads and payload components.[3][2]

.001 Binary Padding

SamSam has used garbage code to pad some of its malware components.[3]