SamSam is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.[1][2][3][4]

ID: S0370
Associated Software: Samas
Platforms: Windows
Version: 1.1
Created: 15 April 2019
Last Modified: 11 April 2024

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

SamSam uses custom batch scripts to execute some of its components.[3]

Enterprise T1486 Data Encrypted for Impact

SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files.[3]

Enterprise T1070 .004 Indicator Removal: File Deletion

SamSam has been seen deleting its own files and payloads to make analysis of the attack more difficult.[3]

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

SamSam has used garbage code to pad some of its malware components.[3]

.013 Obfuscated Files or Information: Encrypted/Encoded File

SamSam has been seen using AES or DES to encrypt payloads and payload components.[3][2]