{
	"id": "341c558a-2bff-4c75-8ae0-47ecf9fc4d57",
	"created_at": "2026-04-06T00:21:43.329013Z",
	"updated_at": "2026-04-10T13:11:46.068821Z",
	"deleted_at": null,
	"sha1_hash": "3a6f7d73fa9b307a0fb6cc882baaab5118dceedc",
	"title": "SamSam Ransomware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64121,
	"plain_text": "SamSam Ransomware | CISA\r\nPublished: 2018-12-03 · Archived: 2026-04-05 13:52:08 UTC\r\nSummary\r\nThe Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center\r\n(NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this activity alert to inform computer network\r\ndefenders about SamSam ransomware, also known as MSIL/Samas.A. Specifically, this product shares analysis of\r\nvulnerabilities that cyber actors exploited to deploy this ransomware. In addition, this report provides\r\nrecommendations for prevention and mitigation.\r\nThe SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were\r\nlocated predominately in the United States, but also internationally. Network-wide infections against organizations\r\nare far more likely to garner large ransom payments than infections of individual systems. Organizations that\r\nprovide essential functions have a critical need to resume operations quickly and are more likely to pay larger\r\nransoms.\r\nThe actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts.\r\nAccording to reporting from victims in early 2016, cyber actors used the JexBoss Exploit Kit to access vulnerable\r\nJBoss applications. Since mid-2016, FBI analysis of victims’ machines indicates that cyber actors use Remote\r\nDesktop Protocol (RDP) to gain persistent access to victims’ networks. Typically, actors either use brute force\r\nattacks or stolen login credentials. Detecting RDP intrusions can be challenging because the malware enters\r\nthrough an approved access point.\r\nAfter gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop\r\nmalware onto the server, and run an executable file, all without victims’ action or authorization. While many\r\nransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised\r\nwebsite, RDP allows cyber actors to infect victims with minimal detection.\r\nAnalysis of tools found on victims’ networks indicated that successful cyber actors purchased several of the stolen\r\nRDP credentials from known darknet marketplaces. FBI analysis of victims’ access logs revealed that the SamSam\r\nactors can infect a network within hours of purchasing the credentials. While remediating infected systems,\r\nseveral victims found suspicious activity on their networks unrelated to SamSam. This activity is a possible\r\nindicator that the victims’ credentials were stolen, sold on the darknet, and used for other illegal activity.\r\nSamSam actors leave ransom notes on encrypted computers. These instructions direct victims to establish contact\r\nthrough a Tor hidden service site. After paying the ransom in Bitcoin and establishing contact, victims usually\r\nreceive links to download cryptographic keys and tools to decrypt their network.\r\nTechnical Details\r\nhttps://www.us-cert.gov/ncas/alerts/AA18-337A\r\nPage 1 of 3\n\nNCCIC recommends organizations review the following SamSam Malware Analysis Reports. The reports\r\nrepresent four SamSam malware variants. This is not an exhaustive list.\r\nMAR-10219351.r1.v2 – SamSam1\r\nMAR-10166283.r1.v1 – SamSam2\r\nMAR-10158513.r1.v1 – SamSam3\r\nMAR-10164494.r1.v1 – SamSam4\r\nFor general information on ransomware, see the NCCIC Security Publication at Stop Ransomware.\r\nMitigations\r\nDHS and FBI recommend that users and administrators consider using the following best practices to strengthen\r\nthe security posture of their organization's systems. System owners and administrators should review any\r\nconfiguration changes before implementation to avoid unwanted impacts.\r\nAudit your network for systems that use RDP for remote communication. Disable the service if unneeded\r\nor install available patches. Users may need to work with their technology venders to confirm that patches\r\nwill not affect system processes.\r\nVerify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially\r\nport 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open\r\nRDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.\r\nEnable strong passwords and account lockout policies to defend against brute force attacks.\r\nWhere possible, apply two-factor authentication.\r\nRegularly apply system and software updates.\r\nMaintain a good back-up strategy.\r\nEnable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90\r\ndays and review them regularly to detect intrusion attempts.\r\nWhen creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote\r\naccess.\r\nEnsure that third parties that require RDP access follow internal policies on remote access.\r\nMinimize network exposure for all control system devices. Where possible, disable RDP on critical\r\ndevices.\r\nRegulate and limit external-to-internal RDP connections. When external access to internal resources is\r\nrequired, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.\r\nRestrict users' ability (permissions) to install and run unwanted software applications.\r\nScan for and remove suspicious email attachments; ensure the scanned attachment is its \"true file type\"\r\n(i.e., the extension matches the file header).\r\nDisable file and printer sharing services. If these services are required, use strong passwords or Active\r\nDirectory authentication.\r\nAdditional information on malware incident prevention and handling can be found in Special Publication 800-83,\r\nGuide to Malware Incident Prevention and Handling for Desktops and Laptops, from the National Institute of\r\nStandards and Technology.[1]\r\nhttps://www.us-cert.gov/ncas/alerts/AA18-337A\r\nPage 2 of 3\n\nContact Information\r\nTo report an intrusion and request resources for incident response or technical assistance, contact NCCIC, FBI, or\r\nthe FBI’s Cyber Division via the following information:\r\nNCCIC\r\nSayCISA@cisa.dhs.gov\r\n1-844-Say-CISA\r\nFBI’s Cyber Division\r\nCyWatch@fbi.gov\r\n855-292-3937\r\nFBI through a local field office\r\nFeedback\r\nDHS strives to make this report a valuable tool for our partners and welcomes feedback on how this publication\r\ncould be improved. You can help by answering a few short questions about this report at the following URL:\r\nWebsite Feedback.\r\nRevisions\r\nDecember 3, 2018: Initial version\r\nSource: https://www.us-cert.gov/ncas/alerts/AA18-337A\r\nhttps://www.us-cert.gov/ncas/alerts/AA18-337A\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.us-cert.gov/ncas/alerts/AA18-337A"
	],
	"report_names": [
		"AA18-337A"
	],
	"threat_actors": [],
	"ts_created_at": 1775434903,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a6f7d73fa9b307a0fb6cc882baaab5118dceedc.pdf",
		"text": "https://archive.orkl.eu/3a6f7d73fa9b307a0fb6cc882baaab5118dceedc.txt",
		"img": "https://archive.orkl.eu/3a6f7d73fa9b307a0fb6cc882baaab5118dceedc.jpg"
	}
}