The sub-techniques beta is now live! Read the release blog post for more info.


SamSam is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.[1][2][3][4]

ID: S0370
Associated Software: Samas
Platforms: Windows
Version: 1.0
Created: 15 April 2019
Last Modified: 18 April 2019

Associated Software Descriptions

Name Description
Samas [1]

Techniques Used

Domain ID Name Use
Enterprise T1009 Binary Padding

SamSam has used garbage code to pad some of its malware components.[3]

Enterprise T1486 Data Encrypted for Impact

SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files.[3]

Enterprise T1107 File Deletion

SamSam has been seen deleting its own files and payloads to make analysis of the attack more difficult.[3]

Enterprise T1027 Obfuscated Files or Information

SamSam has been seen using AES or DES to encrypt payloads and payload components.[3][2]

Enterprise T1064 Scripting

SamSam uses custom batch scripts to execute some of its components.[3]