S0370 SamSam
SamSam is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.3412
| Item | Value |
|---|---|
| ID | S0370 |
| Associated Names | Samas |
| Type | MALWARE |
| Version | 1.1 |
| Created | 15 April 2019 |
| Last Modified | 11 April 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Samas | 3 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | SamSam uses custom batch scripts to execute some of its components.1 |
| enterprise | T1486 | Data Encrypted for Impact | SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | SamSam has been seen deleting its own files and payloads to make analysis of the attack more difficult.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | SamSam has been seen using AES or DES to encrypt payloads and payload components.14 |
| enterprise | T1027.016 | Junk Code Insertion | SamSam has used garbage code to pad some of its malware components.1 |
References
-
Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019. ↩↩↩↩↩↩
-
Symantec Security Response Attack Investigation Team. (2018, October 30). SamSam: Targeted Ransomware Attacks Continue. Retrieved April 16, 2019. ↩
-
US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019. ↩↩
-
Ventura, V. (2018, January 22). SamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks. Retrieved April 16, 2019. ↩↩