{ "id": "42ad689e-f9e8-4672-9fd0-2f1b3c9fe649", "created_at": "2026-04-06T00:13:43.356027Z", "updated_at": "2026-04-10T03:36:07.85624Z", "deleted_at": null, "sha1_hash": "6e57e880781cf8fa7fa9a6e6563517bffa005a8c", "title": "SamSam (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 98803, "plain_text": "SamSam (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 20:40:57 UTC\r\nAccording to PCrisk, Samsam is high-risk ransomware designed to infect unpatched servers and encrypt files\r\nstored on computers networked to the infected server.\r\n2022-03-17 ⋅ Sophos ⋅ Tilly Travers\r\nThe Ransomware Threat Intelligence Center\r\nATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry\r\nDharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker\r\nRagnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker 2021-12-28 ⋅ The Record ⋅ Catalin\r\nCimpanu\r\nIranian hackers behind Cox Media Group ransomware attack (DEV-0270)\r\nSamSam 2020-09-25 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team\r\nDouble Trouble: Ransomware with Data Leak Extortion, Part 1\r\nDoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker\r\nMIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER 2020-09-24 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team\r\nDouble Trouble: Ransomware with Data Leak Extortion, Part 1\r\nDoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER\r\nOVERLORD SPIDER 2020-08-01 ⋅ Temple University ⋅ CARE\r\nCritical Infrastructure Ransomware Attacks\r\nCryptoLocker Cryptowall DoppelPaymer FriedEx Mailto Maze REvil Ryuk SamSam WannaCryptor 2020-03-05 ⋅\r\nMicrosoft ⋅ Microsoft Threat Protection Intelligence Team\r\nHuman-operated ransomware attacks: A preventable disaster\r\nDharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil\r\nRobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA 2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua\r\nFeds Fighting Ransomware: How the FBI Investigates and How You Can Help\r\nFastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk\r\nSamSam Zeus 2020-01-29 ⋅ ANSSI ⋅ ANSSI\r\nÉtat de la menace rançongiciel\r\nClop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam 2020-01-17 ⋅\r\nSecureworks ⋅ Keita Yamazaki, Tamada Kiyotaka, You Nakatsuru\r\nIs It Wrong to Try to Find APT Techniques in Ransomware Attack?\r\nDefray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam\r\nScarab Ransomware 2020-01-01 ⋅ Secureworks ⋅ SecureWorks\r\nGOLD LOWELL\r\nSamSam BOSS SPIDER 2019-05-08 ⋅ Verizon Communications Inc. ⋅ Verizon Communications Inc.\r\n2019 Data Breach Investigations Report\r\nBlackEnergy Cobalt Strike DanaBot Gandcrab GreyEnergy Mirai Olympic Destroyer SamSam 2018-11-29 ⋅\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.samsam\r\nPage 1 of 3\n\nSophosLabs Uncut ⋅ Andrew Brandt\r\nHow a SamSam-like attack happens, and what you can do about it\r\nSamSam 2018-11-28 ⋅ Department of Justice ⋅ Office of Public Affairs\r\nTwo Iranian Men Indicted for Deploying Ransomware to Extort Hospitals, Municipalities, and Public Institutions,\r\nCausing Over $30 Million in Losses\r\nSamSam 2018-09-11 ⋅ Sophos Naked Security ⋅ Mark Stockley\r\nThe Rise of Targeted Ransomware\r\nDharma FriedEx SamSam 2018-08-02 ⋅ Sophos Naked Security ⋅ Mark Stockley\r\nHow to defend yourself against SamSam ransomware\r\nSamSam 2018-08-01 ⋅ SophosLabs ⋅ Andrew Brandt, Claire Mackenzie, Dorka Palotay, Hajnalka Kope, Luca Nagy, Mark Stockley,\r\nPeter Mackenzie, Simon Porter\r\nSamSam: The (Almost) Six Million Dollar Ransomware\r\nSamSam 2018-07-31 ⋅ Sophos Naked Security ⋅ Mark Stockley\r\nSamSam: The (almost) $6 million ransomware\r\nSamSam 2018-07-31 ⋅ SophosLabs Uncut ⋅ Andrew Brandt\r\nSamSam guide to coverage\r\nSamSam 2018-07-31 ⋅ SophosLabs Uncut ⋅ Andrew Brandt\r\nSophos releases SamSam ransomware report\r\nSamSam 2018-05-21 ⋅ CrowdStrike ⋅ Karan Sood\r\nAn In-Depth Analysis of Samsam Ransomware and BOSS SPIDER\r\nSamSam 2018-04-01 ⋅ Sophos ⋅ Dorka Palotay, Peter Mackenzie\r\nSamSam Ransomware Chooses Its Targets Carefully\r\nSamSam 2018-02-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nSamSam Ransomware Campaigns\r\nMimiKatz reGeorg SamSam BOSS SPIDER 2018-02-15 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nSamSam: Converting Opportunity into Profit\r\nSamSam BOSS SPIDER 2018-01-22 ⋅ Talos Intelligence ⋅ Vitor Ventura\r\nSamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks\r\nSamSam 2017-10-11 ⋅ FBI ⋅ FBI\r\nWanted By The FBI: SamSam Subjects\r\nSamSam 2016-05-03 ⋅ Secureworks ⋅ Kevin Strickland\r\nThe Continuing Evolution of Samas Ransomware\r\nSamSam BOSS SPIDER 2016-03-30 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam\r\nRansomware Deployed by Adversary with Established Foothold\r\nMimiKatz reGeorg SamSam BOSS SPIDER 2016-03-23 ⋅ Cisco Talos ⋅ Cisco Talos\r\nSamSam: The Doctor Will See You, After He Pays The Ransom\r\nSamSam 2015-06-03 ⋅ ClearSky ⋅ ClearSky Research Team\r\nThamar Reservoir – An Iranian cyber-attack campaign against targets in the Middle East\r\nSamSam\r\n[TLP:WHITE] win_samsam_auto (20200421 | autogenerated rule brought to you by yara-signator)\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.samsam\r\nPage 2 of 3\n\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.samsam\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam" ], "report_names": [ "win.samsam" ], "threat_actors": [ { "id": "6b4a82e8-21f1-4bc7-84cf-e27334998b48", "created_at": "2022-10-25T16:07:23.84296Z", "updated_at": "2026-04-10T02:00:04.762229Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "DEV-0270", "DireFate", "Lord Nemesis", "Nemesis Kitten", "Yellow Dev 23", "Yellow Dev 24" ], "source_name": "ETDA:DEV-0270", "tools": [ "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "WmiExec" ], "source_id": "ETDA", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "b57a3b93-3a22-4889-af28-37cc53e824e7", "created_at": "2023-01-06T13:46:39.24034Z", "updated_at": "2026-04-10T02:00:03.256906Z", "deleted_at": null, "main_name": "MIMIC SPIDER", "aliases": [], "source_name": "MISPGALAXY:MIMIC SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "25758a84-d695-44e7-9cd5-3c6e999ce6c0", "created_at": "2023-01-06T13:46:39.237624Z", "updated_at": "2026-04-10T02:00:03.255835Z", "deleted_at": null, "main_name": "OUTLAW SPIDER", "aliases": [], "source_name": "MISPGALAXY:OUTLAW SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4116df25-aff6-46ee-a5dd-926254a78e89", "created_at": "2023-01-06T13:46:38.894033Z", "updated_at": "2026-04-10T02:00:03.137353Z", "deleted_at": null, "main_name": "BOSS SPIDER", "aliases": [ "GOLD LOWELL" ], "source_name": "MISPGALAXY:BOSS SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a9db5b93-dd22-4e33-9012-3650745266ee", "created_at": "2023-01-06T13:46:39.234575Z", "updated_at": "2026-04-10T02:00:03.254853Z", "deleted_at": null, "main_name": "OVERLORD SPIDER", "aliases": [], "source_name": "MISPGALAXY:OVERLORD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eaef3218-1f8c-4767-b1ff-da7a6662acc0", "created_at": "2023-03-04T02:01:54.110909Z", "updated_at": "2026-04-10T02:00:03.359871Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "Nemesis Kitten", "Storm-0270" ], "source_name": "MISPGALAXY:DEV-0270", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "679e335a-38a4-4db9-8fdf-a48c17a1f5e6", "created_at": "2023-01-06T13:46:38.820429Z", "updated_at": "2026-04-10T02:00:03.112131Z", "deleted_at": null, "main_name": "FASTCash", "aliases": [], "source_name": "MISPGALAXY:FASTCash", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9099912b-a00a-4afb-8294-c6d35af421a1", "created_at": "2023-01-06T13:46:39.338108Z", "updated_at": "2026-04-10T02:00:03.292102Z", "deleted_at": null, "main_name": "Scarab", "aliases": [], "source_name": "MISPGALAXY:Scarab", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1b20199b-07ae-42f1-ad22-bbe2dd471df8", "created_at": "2024-06-04T02:03:07.872554Z", "updated_at": "2026-04-10T02:00:03.613698Z", "deleted_at": null, "main_name": "GOLD LOWELL", "aliases": [ "Boss Spider ", "CTG-0007 " ], "source_name": "Secureworks:GOLD LOWELL", "tools": [ "Samas" ], "source_id": "Secureworks", "reports": null }, { "id": "e7d03ac8-7d6f-4ea0-83a9-10dff2ea1486", "created_at": "2022-10-25T16:07:24.158325Z", "updated_at": "2026-04-10T02:00:04.884772Z", "deleted_at": null, "main_name": "Scarab", "aliases": [ "UAC-0026" ], "source_name": "ETDA:Scarab", "tools": [ "Scieron" ], "source_id": "ETDA", "reports": null }, { "id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf", "created_at": "2024-01-18T02:02:34.189827Z", "updated_at": "2026-04-10T02:00:04.721082Z", "deleted_at": null, "main_name": "HomeLand Justice", "aliases": [ "Banished Kitten", "Karma", "Red Sandstorm", "Storm-0842", "Void Manticore" ], "source_name": "ETDA:HomeLand Justice", "tools": [ "BABYWIPER", "BiBi Wiper", "BiBi-Linux Wiper", "BiBi-Windows Wiper", "Cl Wiper", "LowEraser", "No-Justice Wiper", "Plink", "PuTTY Link", "RevSocks", "W2K Res Kit" ], "source_id": "ETDA", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "b0261705-df2e-4156-9839-16314250f88a", "created_at": "2023-01-06T13:46:38.373617Z", "updated_at": "2026-04-10T02:00:02.947842Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Operation Woolen-Goldfish", "Thamar Reservoir", "Timberworm", "TEMP.Beanie", "Operation Woolen Goldfish" ], "source_name": "MISPGALAXY:Rocket Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4e2776db-982d-4c07-8dd5-3888242aa7bc", "created_at": "2023-01-06T13:46:38.437237Z", "updated_at": "2026-04-10T02:00:02.974399Z", "deleted_at": null, "main_name": "PIZZO SPIDER", "aliases": [ "DD4BC", "Ambiorx" ], "source_name": "MISPGALAXY:PIZZO SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c240435e-8863-4e5b-9f47-20c6f5c52131", "created_at": "2022-10-25T16:07:23.253019Z", "updated_at": "2026-04-10T02:00:04.505012Z", "deleted_at": null, "main_name": "Outlaw Spider", "aliases": [], "source_name": "ETDA:Outlaw Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9639c065-3fa6-432f-9cbd-5708500c4eaa", "created_at": "2022-10-25T16:07:23.255684Z", "updated_at": "2026-04-10T02:00:04.506059Z", "deleted_at": null, "main_name": "Overlord Spider", "aliases": [ "The Dark Overlord" ], "source_name": "ETDA:Overlord Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b774174f-aeca-4ea8-8f2a-b4a70a2a0b85", "created_at": "2023-01-06T13:46:39.451474Z", "updated_at": "2026-04-10T02:00:03.333575Z", "deleted_at": null, "main_name": "PARINACOTA", "aliases": [ "Wine Tempest" ], "source_name": "MISPGALAXY:PARINACOTA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "703c2493-d713-4697-a691-4c2e09c032e9", "created_at": "2022-10-25T16:07:24.53647Z", "updated_at": "2026-04-10T02:00:05.025223Z", "deleted_at": null, "main_name": "Parinacota", "aliases": [ "Wine Tempest" ], "source_name": "ETDA:Parinacota", "tools": [ "Mimikatz", "ProcDump", "Wadhrama" ], "source_id": "ETDA", "reports": null }, { "id": "eb8697fd-882a-4323-9eb8-8e20222cfd91", "created_at": "2022-10-25T16:07:23.416834Z", "updated_at": "2026-04-10T02:00:04.589943Z", "deleted_at": null, "main_name": "Boss Spider", "aliases": [ "Boss Spider", "CTG-0007", "Gold Lowell" ], "source_name": "ETDA:Boss Spider", "tools": [ "Mimikatz", "PsExec", "SDelete", "SamSam", "Samas" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434423, "ts_updated_at": 1775792167, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6e57e880781cf8fa7fa9a6e6563517bffa005a8c.pdf", "text": "https://archive.orkl.eu/6e57e880781cf8fa7fa9a6e6563517bffa005a8c.txt", "img": "https://archive.orkl.eu/6e57e880781cf8fa7fa9a6e6563517bffa005a8c.jpg" } }