{
	"id": "f80314d7-e1e1-4ba2-a4ee-5074d7343bfb",
	"created_at": "2026-04-06T00:06:08.590926Z",
	"updated_at": "2026-04-10T03:20:48.898046Z",
	"deleted_at": null,
	"sha1_hash": "59b6f4c53f860ec7c911385abb9f52572cc87117",
	"title": "SamSam: The Doctor Will See You, After He Pays The Ransom",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 418020,
	"plain_text": "SamSam: The Doctor Will See You, After He Pays The Ransom\r\nBy Nick Biasini\r\nPublished: 2016-03-23 · Archived: 2026-04-05 15:40:50 UTC\r\nWednesday, March 23, 2016 16:38\r\nCisco Talos is currently observing a widespread campaign leveraging the Samas/Samsam/MSIL.B/C ransomware\r\nvariant. Unlike most ransomware, SamSam is not launched via user focused attack vectors, such as phishing\r\ncampaigns and exploit kits. This particular family seems to be distributed via compromising servers and using\r\nthem as a foothold to move laterally through the network to compromise additional machines which are then held\r\nfor ransom. A particular focus appears to have been placed on the healthcare industry.\r\nAdversaries have been seen leveraging JexBoss, an open source tool for testing and exploiting JBoss application\r\nservers, to gain a foothold in the network. Once they have access to the network they proceed to encrypt multiple\r\nWindows systems using SamSam.\r\nTechnical Details\r\nUpon compromising the system the sample will launch a samsam.exe process which begins the process of\r\nencrypting files on the system.\r\nSamSam encrypts various file types (see Appendix A) with Rijndael and then encrypts that key with RSA-2048 bit\r\nencryption. This makes the files unrecoverable unless the author made a mistake in the implementation of the\r\nencryption algorithms. The adversaries behind this ransomware variant did not go to any length to disguise or\r\ncover up the ransomware activity on the system. The samples Talos obtained are not packed and do not contain\r\nanti-debugging features.\r\nOne interesting note regarding the samples Talos has observed is that the malware will abort the encryption\r\nroutine if the system is running a version of Microsoft Windows prior to Vista. This is likely done for\r\nhttp://blog.talosintel.com/2016/03/samsam-ransomware.html\r\nPage 1 of 6\n\ncompatibility reasons. Once installed on a machine there is no beaconing or C2 activity. The ransomware is\r\neffectively self sufficient.\r\nBelow is an example of the communication between a victim and the adversaries. Notice in this instance, the\r\nvictim initially paid for one PC and followed up by paying for all affected PCs.\r\nTools\r\nThere were a couple of open source tools that were seen being leveraged by the adversaries. The first is JexBoss,\r\nwhich is a testing and exploitation framework for JBoss application servers. This was being used as an initial\r\ninfection vector to gain a foothold in the network to spread the ransomware. The second is a component of\r\nREGeorg, tunnel.jsp. REGeorg is an open source framework to create socks proxies for communication. The file\r\nfound in the samples is an unmodified version of the tunnel.jsp file that is being hosted by REGeorg\r\n(b963b8b8c5ca14c792d2d3c8df31ee058de67108350a66a65e811fd00c9a340c).\r\nPayment Evolution\r\nAs we have monitored this activity, we have started to see changes in the amount and types of payment options\r\navailable to victims. Initially, we saw a payment option of 1 bitcoin for each PC that has been infected.\r\nhttp://blog.talosintel.com/2016/03/samsam-ransomware.html\r\nPage 2 of 6\n\nLater we saw the price for a single system has been raised to 1.5 bitcoin. It is likely the malware author is trying to\r\nsee how much people will pay for their files. They even added an option for bulk decryption of 22 bitcoin to\r\ndecrypt all infected systems. Below is an example of this evolution.\r\nOthers have also seen samples that have increased the payment amount to 1.7 bitcoin per PC. During our\r\nhttp://blog.talosintel.com/2016/03/samsam-ransomware.html\r\nPage 3 of 6\n\ninvestigation we found multiple different bitcoin wallets being presented to users, some had 0 bitcoins associated\r\nwith them others had significant amounts. The total amount of bitcoin in these wallets was at least ~275 which\r\nequates to approximately $115,000 USD. Below is a screen capture showing some of the obfuscated wallets. They\r\nhave been obfuscated so that we can continue to monitor their activity.\r\nIOCs\r\nHashes\r\n036071786d7db553e2415ec2e71f3967baf51bdc31d0a640aa4afb87d3ce3050\r\n553967d05b83364c6954d2b55b8cfc2ea3808a17c268b2eee49090e71976ba29\r\na763ed678a52f77a7b75d55010124a8fccf1628eb4f7a815c6d635034227177e\r\n6bc2aa391b8ef260e79b99409e44011874630c2631e4487e82b76e5cb0a49307\r\n7aa585e6fd0a895c295c4bea2ddb071eed1e5775f437602b577a54eef7f61044\r\n939efdc272e8636fd63c1b58c2eec94cf10299cd2de30c329bd5378b6bbbd1c8\r\n45e00fe90c8aa8578fce2b305840e368d62578c77e352974da6b8f8bc895d75b\r\n979692a34201f9fc1e1c44654dc8074a82000946deedfdf6b8985827da992868\r\n0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac\r\n946dd4c4f3c78e7e4819a712c7fd6497722a3d616d33e3306a556a9dc99656f4\r\ne682ac6b874e0a6cfc5ff88798315b2cb822d165a7e6f72a5eb74e6da451e155\r\n58ef87523184d5df3ed1568397cea65b3f44df06c73eadeb5d90faebe4390e3e\r\nffef0f1c2df157e9c2ee65a12d5b7b0f1301c4da22e7e7f3eac6b03c6487a626\r\n89b4abb78970cd524dd887053d5bcd982534558efdf25c83f96e13b56b4ee805\r\nConclusion\r\nThe SamSam campaign is unusual in that it is taking advantage of remote execution techniques instead of\r\ntargeting the user. Adversaries are exploiting known vulnerabilities in unpatched JBoss servers before installing a\r\nweb shell, identifying further network connected systems, and installing SamSam ransomware to encrypt files on\r\nthese devices.\r\nhttp://blog.talosintel.com/2016/03/samsam-ransomware.html\r\nPage 4 of 6\n\nRansomware continues to persist as a successful cyber crime business model. This technique is proving to be a\r\nprofitable affair for criminals and will continue to be a threat to the internet at large until a more profitable\r\ntechnique is discovered. Protection against such threats is best achieved using a multi-tier defense architecture to\r\nensure potential threats are scanned multiple times. However, one of the most effective ways to protect yourself is\r\nby simply backing up valuable files. Victims often find that at the moment when backups are most needed, they\r\nare either non-existent or incomplete. These lapses provide the revenue stream that is currently fueling the\r\ndevelopment of ransomware.\r\nCoverage\r\nThe following Snort rules and ClamAV signatures address this threat. Please note that additional rules may be\r\nreleased at a future date and current rules are subject to change pending additional vulnerability information. For\r\nthe most current rule information, please refer to your Defense Center, FireSIGHT Management Center or\r\nSnort.org.\r\nSnort Rules\r\nJBoss Server Vulnerabilities: 18794, 21516-21517, 24342-24343, 24642, 29909\r\nSamsam Malware: 38279-38280, 38304\r\nClamAV Signature Family Win.Trojan.Samas\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) can detect and prevent the execution of this malware on targeted systems.\r\nCWS or WSA web scanning can prevent access to malicious websites and detects malware used in these attacks.\r\nNetwork Security encompasses IPS and NGFW. Both have up-to-date signatures to detect malicious network\r\nactivity that this campaign exhibits.\r\nReference\r\nhttps://blogs.technet.microsoft.com/mmpc/2016/03/17/no-mas-samas-whats-in-this-ransomwares-modus-operandi/\r\nhttp://blog.talosintel.com/2016/03/samsam-ransomware.html\r\nPage 5 of 6\n\nhttp://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf\r\nhttp://www.bleepingcomputer.com/forums/t/607818/encedrsa-ransomware-support-and-help-topic-help-decrypttxt/\r\nAppendix A: File Types Targeted for Encryption\r\nThe following file types are targeted for encryption:\r\n.3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ai, .ait,\r\n.al, .apj, .arw, .asf, .asm, .asp, .aspx, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik,\r\n.bkf, .bkp, .blend, .bpw, .c, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class,\r\n.cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csv, .dac, .db, .db-journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs,\r\n.ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd,\r\n.dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flv, .fmb, .fpx, .fxg, .gray,\r\n.grey, .gry, .h, .hbk, .hpp, .htm, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .jar, .java, .jin, .jpe, .jpeg, .jpg,\r\n.jsp, .kbx, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mfw, .mmw, .moneywell,\r\n.mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .nd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg,\r\n.nsh, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp,\r\n.ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbl, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .php5,\r\n.phtml, .pl, .plc, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd,\r\n.pspimage, .pst, .ptx, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar,, .rat, .raw, .rdb, .rm, .rtf, .rw2, .rwl,\r\n.rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5,\r\n.st6, .st7, .st8, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tib, .tif, .tlg, .txt,\r\n.vob, .wallet, .war, .wav, .wb2, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm,\r\n.xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra, .yuv, .zip\r\nSource: http://blog.talosintel.com/2016/03/samsam-ransomware.html\r\nhttp://blog.talosintel.com/2016/03/samsam-ransomware.html\r\nPage 6 of 6\n\nAppendix A: File The following Types Targeted file types are targeted for Encryption for encryption:    \n.3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ai, .ait,\n.al, .apj, .arw, .asf, .asm, .asp, .aspx, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik,\n.bkf, .bkp, .blend, .bpw, .c, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class,\n.cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csv, .dac, .db, .db-journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs,\n.ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd,\n.dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flv, .fmb, .fpx, .fxg, .gray,\n.grey, .gry, .h, .hbk, .hpp, .htm, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .jar, .java, .jin, .jpe, .jpeg, .jpg,\n.jsp, .kbx, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mfw, .mmw, .moneywell,\n.mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .nd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg,\n.nsh, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp,\n.ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbl, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .php5,\n.phtml, .pl, .plc, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd,\n.pspimage, .pst, .ptx, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar,, .rat, .raw, .rdb, .rm, .rtf, .rw2, .rwl,\n.rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5,\n.st6, .st7, .st8, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tib, .tif, .tlg, .txt,\n.vob, .wallet, .war, .wav, .wb2, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm,\n.xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra, .yuv, .zip    \nSource: http://blog.talosintel.com/2016/03/samsam-ransomware.html      \n   Page 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"http://blog.talosintel.com/2016/03/samsam-ransomware.html"
	],
	"report_names": [
		"samsam-ransomware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433968,
	"ts_updated_at": 1775791248,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/59b6f4c53f860ec7c911385abb9f52572cc87117.pdf",
		"text": "https://archive.orkl.eu/59b6f4c53f860ec7c911385abb9f52572cc87117.txt",
		"img": "https://archive.orkl.eu/59b6f4c53f860ec7c911385abb9f52572cc87117.jpg"
	}
}