win.samsam (Back to overview)


aka: Samas

Actor(s): Boss Spider


According to PCrisk, Samsam is high-risk ransomware designed to infect unpatched servers and encrypt files stored on computers networked to the infected server.

2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-12-28The RecordCatalin Cimpanu
Iranian hackers behind Cox Media Group ransomware attack (DEV-0270)
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-08-01Temple UniversityCARE
Critical Infrastructure Ransomware Attacks
CryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020-02-25RSA ConferenceJoel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-17SecureworksKeita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2019-05-08Verizon Communications Inc.Verizon Communications Inc.
2019 Data Breach Investigations Report
BlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam
2018-11-29SophosLabs UncutAndrew Brandt
How a SamSam-like attack happens, and what you can do about it
2018-11-28Department of JusticeOffice of Public Affairs
Two Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions, Causing Over $30 Million in Losses
2018-09-11Sophos Naked SecurityMark Stockley
The Rise of Targeted Ransomware
Dharma FriedEx SamSam
2018-08-02Sophos Naked SecurityMark Stockley
How to defend yourself against SamSam ransomware
2018-08-01SophosLabsAndrew Brandt, Claire Mackenzie, Dorka Palotay, Hajnalka Kope, Luca Nagy, Mark Stockley, Peter Mackenzie, Simon Porter
SamSam: The (Almost) Six Million Dollar Ransomware
2018-07-31Sophos Naked SecurityMark Stockley
SamSam: The (almost) $6 million ransomware
2018-07-31SophosLabs UncutAndrew Brandt
SamSam guide to coverage
2018-07-31SophosLabs UncutAndrew Brandt
Sophos releases SamSam ransomware report
2018-05-21CrowdStrikeKaran Sood
An In-Depth Analysis of Samsam Ransomware and BOSS SPIDER
2018-04-01SophosDorka Palotay, Peter Mackenzie
SamSam Ransomware Chooses Its Targets Carefully
2018-02-15SecureworksCounter Threat Unit ResearchTeam
SamSam Ransomware Campaigns
MimiKatz reGeorg SamSam BOSS SPIDER
2018-02-15SecureworksCounter Threat Unit ResearchTeam
SamSam: Converting Opportunity into Profit
2018-01-22Talos IntelligenceVitor Ventura
SamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks
Wanted By The FBI: SamSam Subjects
2016-05-03SecureworksKevin Strickland
The Continuing Evolution of Samas Ransomware
2016-03-30SecureworksCounter Threat Unit ResearchTeam
Ransomware Deployed by Adversary with Established Foothold
MimiKatz reGeorg SamSam BOSS SPIDER
2016-03-23Cisco TalosCisco Talos
SamSam: The Doctor Will See You, After He Pays The Ransom
2015-06-03ClearSkyClearSky Research Team
Thamar Reservoir – An Iranian cyber-attack campaign against targets in the Middle East
Yara Rules
[TLP:WHITE] win_samsam_auto (20200421 | autogenerated rule brought to you by yara-signator)
rule win_samsam_auto {

        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-04-21"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.3.1"
        malpedia_reference = ""
        malpedia_version = "20200421"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.

        $sequence_0 = { 082b c883e10f 03c1 1bc9 0bc1 59 e9???????? }
            // n = 7, score = 200
            //   082b                 | or                  byte ptr [ebx], ch
            //   c883e10f             | enter               -0x1e7d, 0xf
            //   03c1                 | add                 eax, ecx
            //   1bc9                 | sbb                 ecx, ecx
            //   0bc1                 | or                  eax, ecx
            //   59                   | pop                 ecx
            //   e9????????           |                     

        $sequence_1 = { ec 8b4508 56 33f6 3bc6 751d e8???????? }
            // n = 7, score = 200
            //   ec                   | in                  al, dx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   56                   | push                esi
            //   33f6                 | xor                 esi, esi
            //   3bc6                 | cmp                 eax, esi
            //   751d                 | jne                 0x1f
            //   e8????????           |                     

        $sequence_2 = { ec 83ec10 53 ff7510 8d4df0 e8???????? }
            // n = 6, score = 100
            //   ec                   | in                  al, dx
            //   83ec10               | sub                 esp, 0x10
            //   53                   | push                ebx
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   8d4df0               | lea                 ecx, [ebp - 0x10]
            //   e8????????           |                     

        $sequence_3 = { ec 83ec10 53 33db 56 57 }
            // n = 6, score = 100
            //   ec                   | in                  al, dx
            //   83ec10               | sub                 esp, 0x10
            //   53                   | push                ebx
            //   33db                 | xor                 ebx, ebx
            //   56                   | push                esi
            //   57                   | push                edi

        $sequence_4 = { ec 6a0a 6a00 ff7508 e8???????? }
            // n = 5, score = 100
            //   ec                   | in                  al, dx
            //   6a0a                 | push                0xa
            //   6a00                 | push                0
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     

        all of them and filesize < 483328
Download all Yara Rules