{
	"id": "6a0e68a9-5cca-4ba5-a9e0-fbe880b4411c",
	"created_at": "2026-04-06T00:09:26.322028Z",
	"updated_at": "2026-04-10T13:11:42.24704Z",
	"deleted_at": null,
	"sha1_hash": "4009d9fd8bfadc575825296a663786602d017848",
	"title": "SamSam: Targeted Ransomware Attacks Continue",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 55123,
	"plain_text": "SamSam: Targeted Ransomware Attacks Continue\r\nBy About the Author\r\nArchived: 2026-04-05 22:24:57 UTC\r\nUPDATE: November 29, 2018\r\nTwo Iranian nationals have been indicted in the U.S. for their alleged involvement in SamSam attacks. The FBI\r\nestimated that the SamSam group had received $6 million in ransom payments to date and caused over $30\r\nmillion in losses to victims.\r\nThe group behind the SamSam ransomware (Ransom.SamSam) has continued to mount attacks against entire\r\norganizations during 2018, with fresh attacks seen against 67 different targets, mostly located in the U.S.\r\nSamSam specializes in targeted ransomware attacks, breaking into networks and encrypting multiple computers\r\nacross an organization before issuing a high-value ransom demand. The group is believed to be behind the attack\r\non the city of Atlanta in March, which saw numerous municipal computers encrypted. The clean-up costs for the\r\nattack are expected to run to over $10 million.\r\nThe group was also linked to the attack on the Colorado Department of Transportation, which resulted in clean-up\r\ncosts of $1.5 million.\r\nHeavy concentration on the U.S.\r\nDuring 2018, Symantec has to date found evidence of attacks against 67 different organizations. SamSam targeted\r\norganizations in a wide range of sectors, but healthcare was by far the most affected sector, accounting for 24\r\npercent of attacks in 2018.\r\nWhy healthcare was a particular focus remains unknown. The attackers may believe that healthcare organizations\r\nare easier to infect. Or they may believe that these organizations are more likely to pay the ransom.\r\nA number of local government organizations in the U.S. were also targeted by the group and at least one of these\r\norganizations is involved in administering elections. With the midterm elections in the U.S. taking place on\r\nNovember 6, the focus is naturally on cyber information operations and threats to voting data integrity. However,\r\nransomware campaigns such as SamSam can also be significantly disruptive to government organizations and\r\ntheir operations.\r\nThe vast majority of SamSam’s targets are located in the U.S. Of the 67 organizations targeted during 2018, 56\r\nwere located in the U.S. A small number of attacks were logged in Portugal, France, Australia, Ireland, and Israel.\r\nWhile most ransomware families are spread indiscriminately, usually via spam emails or exploit kits, SamSam is\r\nused in a targeted fashion. The SamSam group’s modus operandi is to gain access to an organization’s network,\r\nspend time performing reconnaissance by mapping out the network, before encrypting as many computers as\r\npossible and presenting the organization with a single ransom demand.\r\nhttps://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks\r\nPage 1 of 3\n\nThe attackers have been known to offer to decrypt all computers for a set ransom and/or offer to decrypt\r\nindividual machines for a lower fee. In many cases, ransom demands can run to tens of thousands of dollars to\r\ndecrypt all affected computers in an organization. If successful, these attacks can have a devastating impact on\r\nvictim organizations, seriously disrupting their operations, destroying business critical information, and leading to\r\nmassive clean-up costs.\r\nHow SamSam compromises organizations\r\nThe attackers behind SamSam go to great lengths to infect as many computers as possible in a targeted\r\norganization. Multiple software tools are used to carry out an attack and, in many cases, the entire process can take\r\ndays to complete.\r\nIn order to carry out its attacks, the SamSam group makes extensive use of “living off the land” tactics: the use of\r\noperating system features or legitimate network administration tools to compromise victims’ networks.\r\nThese tactics are frequently used by espionage groups in order to maintain a low profile on the target’s network.\r\nBy making their activity appear like legitimate processes, they hope to hide in plain sight.\r\nFor example, in one attack that took place in February 2018, more than 48 hours passed between the first evidence\r\nof intrusion and the eventual encryption of hundreds of computers in the targeted organization.\r\nThe first sign of an intrusion came when the attackers downloaded several hacking tools onto a computer in the\r\ntargeted organization. Ten minutes later, the attackers began running scripts in order to identify and scan other\r\ncomputers on the organization’s network. They used PsInfo, a Microsoft Sysinternals tool that allows the user to\r\ngather information about other computers on the network. This could allow them to identify the software installed\r\non these computers. PsInfo may have been used to identify systems with business-critical files that could be\r\nencrypted for ransom. The attackers also used the freely available hacking tool Mimikatz (Hacktool.Mimikatz)\r\nagainst selected computers to steal passwords.\r\nAfter this initial flurry of activity, the attackers returned two days later and, shortly after 5 a.m., loaded the\r\nSamSam ransomware onto the initial computer. Interestingly, two different versions of SamSam were loaded. It is\r\nlikely that two versions were used in order to have an alternative at hand in case one version was detected by\r\nsecurity software.\r\nAn hour later, the attacks began executing SamSam on multiple computers across the organization’s network. This\r\noperation was carried out using PsExec, another Microsoft Sysinternals tool, which is used for executing\r\nprocesses on other systems. Five hours later, just under 250 computers on the network had been encrypted.\r\nOngoing and potent threat\r\nSamSam continues to pose a grave threat to organizations in the U.S. The group is skilled and resourceful, capable\r\nof using tactics and tools more commonly seen in espionage attacks.\r\nA successful SamSam attack will likely be highly disruptive to any affected organizations. In the worst-case\r\nscenario, if no backups are available or if backups are encrypted by SamSam, valuable data could be permanently\r\nhttps://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks\r\nPage 2 of 3\n\nlost in an attack. Even if an organization does have backups, restoring affected computers and cleaning up the\r\nnetwork will cost time and money and may lead to reputational damage.\r\nProtection\r\nThe following protections are in place to protect customers against SamSam attacks:\r\n \r\nRansom.SamSam\r\nHacktool.Mimikatz\r\nIn addition, Symantec’s Targeted Attack Analytics (TAA) is able to identify and flag “living off the land” activity\r\nassociated with targeted attacks such as SamSam. To find out more about TAA, read our white paper Targeted\r\nAttack Analytics: Using Cloud-based Artificial Intelligence for Enterprise-Focused Advanced Threat Protection\r\nBest practices\r\nBacking up important data is one of the key pillars of combating ransomware infections. However, as there have\r\nbeen cases of ransomware encrypting backups, it should not be a replacement for a robust security strategy.\r\nVictims need to be aware that paying the ransom does not always work. Attackers may not send a decryption key,\r\ncould poorly implement the decryption process and damage files, and may deliver a larger ransom demand after\r\nreceiving the initial payment.\r\nSource: https://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks\r\nhttps://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks"
	],
	"report_names": [
		"samsam-targeted-ransomware-attacks"
	],
	"threat_actors": [],
	"ts_created_at": 1775434166,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4009d9fd8bfadc575825296a663786602d017848.pdf",
		"text": "https://archive.orkl.eu/4009d9fd8bfadc575825296a663786602d017848.txt",
		"img": "https://archive.orkl.eu/4009d9fd8bfadc575825296a663786602d017848.jpg"
	}
}