SYMBOLCOMMON_NAMEaka. SYNONYMS
win.samsam (Back to overview)

SamSam

aka: Samas

Actor(s): Boss Spider


According to PCrisk, Samsam is high-risk ransomware designed to infect unpatched servers and encrypt files stored on computers networked to the infected server.

References
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-12-28The RecordCatalin Cimpanu
@online{cimpanu:20211228:iranian:0d0f5b0, author = {Catalin Cimpanu}, title = {{Iranian hackers behind Cox Media Group ransomware attack (DEV-0270)}}, date = {2021-12-28}, organization = {The Record}, url = {https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/}, language = {English}, urldate = {2021-12-31} } Iranian hackers behind Cox Media Group ransomware attack (DEV-0270)
SamSam
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
@online{team:20200924:double:3b3ade6, author = {CrowdStrike Intelligence Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1}, language = {English}, urldate = {2021-05-31} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-08Temple UniversityCARE
@online{care:202008:critical:415c34d, author = {CARE}, title = {{Critical Infrastructure Ransomware Attacks}}, date = {2020-08}, organization = {Temple University}, url = {https://sites.temple.edu/care/ci-rw-attacks/}, language = {English}, urldate = {2020-09-15} } Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020SecureworksSecureWorks
@online{secureworks:2020:gold:7ea3b30, author = {SecureWorks}, title = {{GOLD LOWELL}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-lowell}, language = {English}, urldate = {2020-05-23} } GOLD LOWELL
SamSam BOSS SPIDER
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
@techreport{inc:20190508:2019:3c20a3b, author = {Verizon Communications Inc.}, title = {{2019 Data Breach Investigations Report}}, date = {2019-05-08}, institution = {Verizon Communications Inc.}, url = {https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf}, language = {English}, urldate = {2020-05-10} } 2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2018-11-29SophosLabs UncutAndrew Brandt
@online{brandt:20181129:how:a840588, author = {Andrew Brandt}, title = {{How a SamSam-like attack happens, and what you can do about it}}, date = {2018-11-29}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2018/11/29/how-a-samsam-like-attack-happens-and-what-you-can-do-about-it/}, language = {English}, urldate = {2022-03-18} } How a SamSam-like attack happens, and what you can do about it
SamSam
2018-11-28Department of JusticeOffice of Public Affairs
@online{affairs:20181128:two:9032b25, author = {Office of Public Affairs}, title = {{Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses}}, date = {2018-11-28}, organization = {Department of Justice}, url = {https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public}, language = {English}, urldate = {2020-01-08} } Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses
SamSam
2018-09-11Sophos Naked SecurityMark Stockley
@online{stockley:20180911:rise:3ecf259, author = {Mark Stockley}, title = {{The Rise of Targeted Ransomware}}, date = {2018-09-11}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2018/09/11/the-rise-of-targeted-ransomware/}, language = {English}, urldate = {2022-03-22} } The Rise of Targeted Ransomware
Dharma FriedEx SamSam
2018-08-02Sophos Naked SecurityMark Stockley
@online{stockley:20180802:how:01d1686, author = {Mark Stockley}, title = {{How to defend yourself against SamSam ransomware}}, date = {2018-08-02}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2018/08/02/how-to-defend-yourself-against-samsam-ransomware/}, language = {English}, urldate = {2022-03-22} } How to defend yourself against SamSam ransomware
SamSam
2018-08-01SophosLabsPeter Mackenzie, Dorka Palotay, Andrew Brandt, Mark Stockley, Luca Nagy, Simon Porter, Hajnalka Kope, Claire Mackenzie
@techreport{mackenzie:20180801:samsam:73fdb9a, author = {Peter Mackenzie and Dorka Palotay and Andrew Brandt and Mark Stockley and Luca Nagy and Simon Porter and Hajnalka Kope and Claire Mackenzie}, title = {{SamSam: The (Almost) Six Million Dollar Ransomware}}, date = {2018-08-01}, institution = {SophosLabs}, url = {https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf}, language = {English}, urldate = {2022-03-22} } SamSam: The (Almost) Six Million Dollar Ransomware
SamSam
2018-07-31SophosLabs UncutAndrew Brandt
@online{brandt:20180731:sophos:908af44, author = {Andrew Brandt}, title = {{Sophos releases SamSam ransomware report}}, date = {2018-07-31}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2018/07/31/sophoslabs-releases-samsam-ransomware-report/}, language = {English}, urldate = {2022-03-18} } Sophos releases SamSam ransomware report
SamSam
2018-07-31Sophos Naked SecurityMark Stockley
@online{stockley:20180731:samsam:c70ea01, author = {Mark Stockley}, title = {{SamSam: The (almost) $6 million ransomware}}, date = {2018-07-31}, organization = {Sophos Naked Security}, url = {https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/}, language = {English}, urldate = {2022-03-22} } SamSam: The (almost) $6 million ransomware
SamSam
2018-07-31SophosLabs UncutAndrew Brandt
@online{brandt:20180731:samsam:68f06ce, author = {Andrew Brandt}, title = {{SamSam guide to coverage}}, date = {2018-07-31}, organization = {SophosLabs Uncut}, url = {https://news.sophos.com/en-us/2018/07/31/samsam-guide-to-coverage/}, language = {English}, urldate = {2022-03-18} } SamSam guide to coverage
SamSam
2018-05-21CrowdStrikeKaran Sood
@online{sood:20180521:indepth:247dedb, author = {Karan Sood}, title = {{An In-Depth Analysis of Samsam Ransomware and BOSS SPIDER}}, date = {2018-05-21}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/}, language = {English}, urldate = {2019-12-20} } An In-Depth Analysis of Samsam Ransomware and BOSS SPIDER
SamSam
2018-04SophosDorka Palotay, Peter Mackenzie
@online{palotay:201804:samsam:9ca3687, author = {Dorka Palotay and Peter Mackenzie}, title = {{SamSam Ransomware Chooses Its Targets Carefully}}, date = {2018-04}, organization = {Sophos}, url = {https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx}, language = {English}, urldate = {2019-12-20} } SamSam Ransomware Chooses Its Targets Carefully
SamSam
2018-02-15SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20180215:samsam:bd6d65d, author = {Counter Threat Unit ResearchTeam}, title = {{SamSam Ransomware Campaigns}}, date = {2018-02-15}, organization = {Secureworks}, url = {https://www.secureworks.com/research/samsam-ransomware-campaigns}, language = {English}, urldate = {2021-05-28} } SamSam Ransomware Campaigns
MimiKatz reGeorg SamSam BOSS SPIDER
2018-02-15SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20180215:samsam:cb3f804, author = {Counter Threat Unit ResearchTeam}, title = {{SamSam: Converting Opportunity into Profit}}, date = {2018-02-15}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/samsam-converting-opportunity-into-profit}, language = {English}, urldate = {2021-05-28} } SamSam: Converting Opportunity into Profit
SamSam BOSS SPIDER
2018-01-22Talos IntelligenceVitor Ventura
@online{ventura:20180122:samsam:eb2f449, author = {Vitor Ventura}, title = {{SamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks}}, date = {2018-01-22}, organization = {Talos Intelligence}, url = {http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html}, language = {English}, urldate = {2019-10-14} } SamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks
SamSam
2017-10-11FBIFBI
@online{fbi:20171011:wanted:4a62837, author = {FBI}, title = {{Wanted By The FBI: SamSam Subjects}}, date = {2017-10-11}, organization = {FBI}, url = {https://www.justice.gov/opa/press-release/file/1114746/download}, language = {English}, urldate = {2022-03-18} } Wanted By The FBI: SamSam Subjects
SamSam
2016-05-03SecureworksKevin Strickland
@online{strickland:20160503:continuing:b510b54, author = {Kevin Strickland}, title = {{The Continuing Evolution of Samas Ransomware}}, date = {2016-05-03}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/samas-ransomware}, language = {English}, urldate = {2021-05-28} } The Continuing Evolution of Samas Ransomware
SamSam BOSS SPIDER
2016-03-30SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20160330:ransomware:d1b6fe3, author = {Counter Threat Unit ResearchTeam}, title = {{Ransomware Deployed by Adversary with Established Foothold}}, date = {2016-03-30}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/ransomware-deployed-by-adversary}, language = {English}, urldate = {2021-05-28} } Ransomware Deployed by Adversary with Established Foothold
MimiKatz reGeorg SamSam BOSS SPIDER
2016-03-23Cisco TalosCisco Talos
@online{talos:20160323:samsam:39997dd, author = {Cisco Talos}, title = {{SamSam: The Doctor Will See You, After He Pays The Ransom}}, date = {2016-03-23}, organization = {Cisco Talos}, url = {http://blog.talosintel.com/2016/03/samsam-ransomware.html}, language = {English}, urldate = {2020-01-13} } SamSam: The Doctor Will See You, After He Pays The Ransom
SamSam
2015-06-03ClearSkyClearSky Research Team
@online{team:20150603:thamar:76c9ca9, author = {ClearSky Research Team}, title = {{Thamar Reservoir – An Iranian cyber-attack campaign against targets in the Middle East}}, date = {2015-06-03}, organization = {ClearSky}, url = {https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/}, language = {English}, urldate = {2019-10-12} } Thamar Reservoir – An Iranian cyber-attack campaign against targets in the Middle East
SamSam
Yara Rules
[TLP:WHITE] win_samsam_auto (20200421 | autogenerated rule brought to you by yara-signator)
rule win_samsam_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-04-21"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.3.1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam"
        malpedia_version = "20200421"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 082b c883e10f 03c1 1bc9 0bc1 59 e9???????? }
            // n = 7, score = 200
            //   082b                 | or                  byte ptr [ebx], ch
            //   c883e10f             | enter               -0x1e7d, 0xf
            //   03c1                 | add                 eax, ecx
            //   1bc9                 | sbb                 ecx, ecx
            //   0bc1                 | or                  eax, ecx
            //   59                   | pop                 ecx
            //   e9????????           |                     

        $sequence_1 = { ec 8b4508 56 33f6 3bc6 751d e8???????? }
            // n = 7, score = 200
            //   ec                   | in                  al, dx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi
            //   3bc6                 | cmp                 eax, esi
            //   751d                 | jne                 0x1f
            //   e8????????           |                     

        $sequence_2 = { ec 83ec10 53 ff7510 8d4df0 e8???????? }
            // n = 6, score = 100
            //   ec                   | in                  al, dx
            //   83ec10               | sub                 esp, 0x10
            //   53                   | push                ebx
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   8d4df0               | lea                 ecx, [ebp - 0x10]
            //   e8????????           |                     

        $sequence_3 = { ec 83ec10 53 33db 56 57 }
            // n = 6, score = 100
            //   ec                   | in                  al, dx
            //   83ec10               | sub                 esp, 0x10
            //   53                   | push                ebx
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_4 = { ec 6a0a 6a00 ff7508 e8???????? }
            // n = 5, score = 100
            //   ec                   | in                  al, dx
            //   6a0a                 | push                0xa
            //   6a00                 | push                0
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     

    condition:
        7 of them and filesize < 483328
}
Download all Yara Rules