Skip to content

S0370 SamSam

SamSam is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.1234

Item Value
ID S0370
Associated Names Samas
Version 1.0
Created 15 April 2019
Last Modified 18 April 2019
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Samas 1

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell SamSam uses custom batch scripts to execute some of its components.3
enterprise T1486 Data Encrypted for Impact SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files.3
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion SamSam has been seen deleting its own files and payloads to make analysis of the attack more difficult.3
enterprise T1027 Obfuscated Files or Information SamSam has been seen using AES or DES to encrypt payloads and payload components.32
enterprise T1027.001 Binary Padding SamSam has used garbage code to pad some of its malware components.3