{
	"id": "c56a1870-c23e-4021-a6fe-a61451237f36",
	"created_at": "2026-04-06T00:10:24.6495Z",
	"updated_at": "2026-04-10T13:12:19.35914Z",
	"deleted_at": null,
	"sha1_hash": "ced1c6df2415009457e769c288b7612e3e029035",
	"title": "An In-Depth Analysis of Samsam Ransomware and BOSS SPIDER",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1562767,
	"plain_text": "An In-Depth Analysis of Samsam Ransomware and BOSS SPIDER\r\nBy karansood\r\nArchived: 2026-04-05 21:21:43 UTC\r\nIntroduction\r\nThis analysis provides an in-depth view of the Samsam ransomware, which is developed and operated by the actor\r\ntracked by CrowdStrike® Falcon Intelligence™ as BOSS SPIDER. The infection chain and the execution flow\r\nvary according to the variant of the malware, both of which are detailed in this writeup. The malware uses external\r\ntools such as batch scripts, Mimikatz, and Sysinternals utilities, including PsExec and Sdelete, to aid in the\r\npropagation and cleanup of the ransomware. In some cases, the ransomware is delivered in an encrypted manner\r\nalongside a runner file, which is used to load and execute the malware in memory. In addition, the malware has\r\nanti-forensics capabilities that make it challenging to recover the ransomware payload from an infected system.\r\nDespite the steps taken by the malware to evade detection, Falcon Prevent can detect and prevent the family\r\nbefore it ever encrypts any files on the system.\r\nInfection Process\r\nNumerous variations of delivery methods for this ransomware family have been seen in the wild. Earlier\r\nvariations of the ransomware involved gathering credentials from Active Directory via a credential dumper such\r\nas Mimikatz, generating public RSA keys for each user on the list and deploying the payload along with the\r\nfollowing files:\r\nPSExec: A legitimate utility that is part of Sysinternals suite used to execute applications on remote\r\nsystems\r\nBackup-Delete Helper File: This file is responsible for enumerating all the drives connected to the victim\r\nmachine. A detailed analysis is provided in the Backup-Delete Helper File subsection\r\nA list of compromised accounts\r\nA folder containing unique RSA public keys for each account\r\nFour batch scripts that are responsible for copying the files to each victim computer and loading the\r\npayload\r\nFirst file: copies the samsam payload and the corresponding public key to %WINDIR%\\system32;\r\nissues the command “vssadmin delete shadows /all /quiet”\r\nSecond file: copies the backup-delete helper file to C:\\Windows\r\nThird file: utilizes psexec to remotely execute the delete helper file\r\nFourth file: utilizes psexec to remotely execute the payload; provides the corresponding public key\r\nas an argument to the payload\r\nAs seen above, the public key and the backup deletion commands are external to the payload itself. In other\r\nvariants of Samsam, both the key and the backup deletions command have been embedded within the payload. In\r\nsuch cases, the delivery mechanism differs significantly from the one described above. Rather than deploying the\r\nhttps://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/\r\nPage 1 of 10\n\npayload with numerous files, the payload is instead encrypted and deployed with a runner file and a batch script as\r\ndescribed below:\r\nRunner file: responsible for decrypting and loading the payload; a detailed analysis is provided in the\r\nRunner File subsection.\r\nBatch script: loads the runner file and provides the following arguments to it (It should be noted that the\r\nnumber of arguments can also differ depending on the variant of the ransomware. Up to four arguments\r\nhave been observed so far).\r\n\u003cpassword\u003e: used to decrypt the encrypted payload\r\n\u003cpath\u003e: used by the decrypted payload to drop additional files\r\n\u003ctotalprice\u003e: used by the decrypted payload to dynamically generate the splash screen\r\n\u003cpriceperhost\u003e: used by the decrypted payload to dynamically generate the splash screen\r\nIn other cases, standalone Samsam payloads that do not require any arguments or helper files have also been seen.\r\nAs mentioned, there are a variety of ways in which the payload can be delivered and loaded onto a system.\r\nSubsequent sections will describe the payload and some of the previously mentioned helper files in more detail.\r\nTechnical Analysis\r\nBackup-Delete Helper File\r\nThis file is responsible for traversing the file system on a victim computer and targeting specific file extensions\r\nassociated with data backup. The extensions are provided in Appendix A: Targeted Backup Extensions. This\r\nprogram’s goal is to ensure that once the files on the system have been encrypted, no backups can be used for file\r\nrestoration. Please note that if any shared drives are connected, the helper file will also delete the corresponding\r\nfiles in those folders. Once loaded by the batch script, this file recursively enumerates each directory in each drive\r\nconnected to the victim machine. If a directory name contains the string “backup,” the program will enumerate all\r\nthe files within that directory and perform the following actions:\r\nSet the file attributes to FILE_ATTRIBUTE_NORMAL. This ensures that the file can be deleted without\r\nthrowing an exception.\r\nDelete each file once the file attribute is set.\r\nOnce all the files have been deleted, delete the directory itself.\r\nFor all the other directories, once a target file is found, the program ensures that it can delete the file by\r\nperforming the following actions:\r\nChecks that the file is not locked. In other words, makes sure that there isn’t a handle to the file being\r\naccessed by a process and that the file can be opened in READ mode. If the check passes, delete the file.\r\nIf the above check fails, the program kills the process associated with the file.\r\nIt invokes tasklist.exe to generate a list of running processes on the system by issuing the following\r\ncommand: tasklist /v /fo csv.\r\nIt enumerates the list to find a process with the same name as the file in question. If found, it\r\ninvokes taskkill.exe to kill the process by issuing the following command: taskkill /f /pid \u003cprocess\r\nID of the target process\u003e.\r\nhttps://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/\r\nPage 2 of 10\n\nOnce the process has been killed, it deletes the corresponding file.\r\nThe following is a snippet of the output of the tasklist command:\r\nFigure 1: Output of the tasklist command\r\nRunner File\r\nThe runner file is responsible for decrypting and loading the payload in memory. This file requires a password as\r\nan argument, which is used in the decryption process. Once loaded by the batch script, the runner looks for a file\r\nwith the extension “.stubbin” within the current working directory. This file is the actual encrypted payload and\r\nonce it is found, the runner reads the contents in memory and deletes the encrypted .stubbin file from the disk\r\nimmediately. The fact that the payload is decrypted and loaded entirely in memory makes it hard to recover the\r\ndecrypted ransomware payload forensically. Once the content is read, the runner decrypts it using the Rijndael\r\nalgorithm. The password and a salt are provided to the algorithm to generate the decryption key and an IV. The\r\nsalt value is “Ivan Medvedev”, which has been seen in numerous binaries (benign and malicious) employing this\r\nalgorithm. With these two inputs, the runner file generates a 32 byte key, and a 16 byte IV, which are then\r\nsubsequently used to decrypt the payload. It is important to note that any additional arguments passed down from\r\nthe batch file are then passed to the decrypted payload. The runner file is then responsible for invoking the entry\r\npoint of the payload; thereby executing it in memory.\r\nPayload\r\nNumerous variants of the payload were analyzed, and one of the main differences among them was whether the\r\nRSA public key was embedded in the payload or not. As mentioned earlier, the batch script responsible for loading\r\nthe payload passes the public key as an argument to it, which is then read to a variable and used later in the\r\nexecution process. This section will explain in detail the steps taken by the ransomware to encrypt the files on the\r\nvictim machine.\r\nResource Extraction\r\nUpon being loaded, Samsam first parses its own resource section and extracts the resource names. For each name,\r\nit ensures that the name has the extension “.exe”, and checks to see if a file with the same name as the resource\r\nname exists in the current directory. If so, it deletes the file from disk, reads the contents of the resource section in\r\nchunks of 4096 bytes and writes it to disk in the current directory. So far, up to two different files have been seen\r\nhttps://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/\r\nPage 3 of 10\n\nas a result of this extraction: selfdel.exe and del.exe. Please note that this particular activity of dropping two files\r\nin the current directory with static names can be used for detection purposes early on in the kill chain. Once the\r\nfiles have been written to disk, the payload initiates a new thread to execute selfdel.exe, which is explained in\r\nfurther detail in the Cleanup section. Next, the payload will recursively enumerate all the directories in each drive\r\nconnected to the victim machine.\r\nFile System Enumeration\r\nThe payload ensures that the following directories are skipped when enumerating files:\r\nC:\\Windows\r\nReference Assemblies\\Microsoft\r\nRecycle.bin\r\nThis is to ensure a smooth execution flow. Since system files reside in C:\\Windows, and files necessary for the\r\n.NET framework are in Reference Assemblies\\Microsoft, it is imperative that those files are left intact. One\r\npossible reason for skipping files within the Recycle.bin directory might be that this directory is usually among\r\nthe first ones to be enumerated by ransomware families. A few security solutions depend on that behavior to detect\r\nand prevent the ransomware process early on in the execution flow. By skipping that directory, Samsam can\r\nsidestep that mitigation and continue to encrypt the files. The list of file extensions targeted by Samsam are listed\r\nin Appendix A: Targeted Extensions. Once a file matching one of the extensions is found, the payload calls the\r\nencryption subroutine immediately, if the file size is less than or equal to 100MB (104857600 bytes). However, if\r\nthe file size is greater, the following actions take place:\r\nIf the file size is greater than 100MB and less or equal to 250MB, it appends the file’s full path to the list\r\nmylist250.\r\nIf the file size is greater than 250MB and less or equal to 500MB, it appends the file’s full path to the list\r\nmylist500.\r\nIf the file size is greater than 500MB and less or equal to 1GB, it appends the file’s full path to the list\r\nmylist1000.\r\nIf the file size is greater than 1GB, it appends the file’s full path to the list mylistbig.\r\nThe payload encrypts the files in those lists once all the targeted files less than or equal to 100MB in size are\r\nencrypted first. This is likely done to ensure that as many files as possible are encrypted in case the ransomware\r\nprocess ends prematurely. It should be noted that the encryption subroutine is called on those lists in order of the\r\nfile size; files in mylist250 are encrypted first, followed by mylist500 and so on. Once the files in each list are\r\nencrypted, the payload clears the list in memory. In other variants of Samsam, this behavior of categorizing files\r\nper size is absent. Those variants utilize just one list to compile a list of all files within all the drives connected to\r\nthe victim machine. Next, the file encryption subroutine is invoked to encrypt the target files.\r\nFile Encryption Wrapper\r\nFor each file, the payload performs the following checks:\r\nhttps://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/\r\nPage 4 of 10\n\nThe length of the current file is less than the available free space in the drive. If the check fails, the payload\r\nmoves on to the next file. This is to ensure that there is enough free space to write the encrypted file to\r\ndisk.\r\nThe length of the current file is greater than 0 bytes.\r\nThe public key variable is not NULL. Without the public key, no encryption would take place.\r\nIf any of the above checks fail, the payload moves on to the next file. Next, there are two observed variations in\r\nthe manner in which encryption takes place; these depend on the variant of Samsam running on the system.\r\nVariation A\r\nFor each file, the subroutine first checks if a file with the name \u003ctarget filename\u003e.\u003cencrypted extension\u003e already\r\nexists in the current directory. The encrypted extensions value has consistently been “.encryptedRSA”. If so, the\r\nfollowing steps are taken:\r\nChecks the length of the .encryptedRSA file. If this file size is greater than the target file, the subroutine\r\ndeletes the target file and moves on to the next file. The program assumes that the file has already been\r\nencrypted with Samsam and therefore deletes the original target file.\r\nIf the .encryptedRSA file size is less than or equal to the target file, the subroutine deletes the\r\n.encryptedRSA file. Since the actual encryption will cause the resultant file size to be greater than the\r\noriginal file, the .encryptedRSA file size must be greater than the target file. The program assumes that the\r\n.encryptedRSA file is not the actual encrypted file and deletes it from disk. Once the .encryptedRSA file is\r\ndeleted, the target file is encrypted.\r\nVariation B\r\nIf the subroutine finds a file with the name \u003ctarget filename\u003e.encryptedRSA, it immediately skips the target file.\r\nThere are no checks on the length of this file, nor is there any attempt to delete the target file. It is important to\r\nnote that the subroutine moves onto the next file, leaving the current target file intact. This is a significant\r\noversight on the malware author’s part since it implies that if there are files of any length with the extension\r\n.encryptedRSA for each file on the system, no files would get encrypted. In fact the ransomware would simply\r\nskip over every file, assuming that the files are already encrypted. This was tested and confirmed during analysis.\r\nFile Encryption\r\nSamsam utilizes the AES standard to encrypt the files. For each file, it generates a random 64 byte signaturekey, a\r\n16 byte key, and a 16 byte IV. It also creates an empty file \u003ctarget filename\u003e.encryptedRSA to which it writes\r\n3072 NULL bytes. This acts as a placeholder for the encrypted file header that is generated later in the execution\r\nflow. The payload then determines if there are current processes or services with an open handle to the target file\r\nby utilizing Restart Manager APIs. The following explains the steps in detail:\r\nStart a new session manager by invoking RmStartSession.This provides a session handle to the new\r\nsession.\r\nThe handle is used by RmRegisterResources to register the target file as a resource to the new session.\r\nhttps://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/\r\nPage 5 of 10\n\nThe handle is then used by RmGetList to get a list of processes that are currently utilizing the resource in\r\nquestion (target file).\r\nThe session manager is ended with RmEndSession.\r\nThe process ID of each process locking the file is appended to a file, which is then passed to a subroutine\r\nresponsible for killing those processes.\r\nOnce the target file handle is freed from any processes, the encryption subroutine reads its contents in a memory\r\nbuffer in chunks of 10KB (10240 bytes) at a time. Next, the subroutine uses AES in CBC mode to encrypt the\r\ncontents in the buffer, which are then written to the .encryptedRSA file starting from the 3073rd byte position\r\n(after the header placeholder). Once the entire file content has been encrypted and written to the new file, the file\r\nheader is generated.\r\nFile Header\r\nThe randomly generated signaturekey is used to generate a Hash-based Message Authentication Code (HMAC)\r\nhash of the encrypted content. This value, inArray, is then encoded with base64, and written to the file header. The\r\nfollowing is the structure of the file header:\r\n\u003cMtAeSKeYForFile\u003e \u003cKey\u003e: contains the randomly generated 16 byte key encrypted with the RSA public\r\nkey, and then encoded using base64. \u003c/Key\u003e\r\n\u003cIV\u003e: contains the randomly generated 16 byte IV encrypted and encoded in the same manner. \u003c/IV\u003e\r\n\u003cValue\u003e: contains the aforementioned inArray \u003c/Value\u003e\r\n\u003cEncryptedKey\u003e: contains the randomly generated 64 byte signature key encrypted and encoded in the\r\nsame manner. \u003c/Encrypted\u003e\r\n\u003cOriginalFileLength\u003e:contains the file size of the original target file. \u003c/OriginalFileLength\u003e\r\n\u003c/MtAeSKeYForFile\u003e\r\nThe corresponding RSA private key would help decrypt each value in the file header that would, in turn, decrypt\r\nthe file contents. The following is an example of an actual file header of a file encrypted by Samsam:\r\nhttps://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/\r\nPage 6 of 10\n\nFigure 2: File header of a file encrypted with Samsam\r\nOnce the file is encrypted, the original target file is deleted from disk.\r\nPost Encryption\r\nAfter each file has been encrypted, the payload will drop a text file named HELP_DECRYPT_YOUR_FILES in\r\nthe current directory. Figure 3 shows contents of the file.\r\nhttps://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/\r\nPage 7 of 10\n\nFigure 3: Ransomware note\r\nIn some instances, HELP_DECRYPT_YOUR_FILES.html with the same contents is dropped in the current\r\ndirectory. An odd behavior of every variant of Samsam analyzed is that the ransomware note is dropped for every\r\nfile encrypted. Therefore, in directories where multiple files have been encrypted, multiple copies of the same\r\nransomware note are dropped.\r\nCleanup\r\nAs mentioned earlier, the payload parses its resource section to extract two executables which are then written to\r\nthe current directory. The following are the properties of both files: File: selfdel.exe Size: 5632 MD5:\r\n710A45E007502B8F42A27EE05DCD2FBA SHA256:\r\n32445C921079AA3E26A376D70EF6550BAFEB1F6B0B7037EF152553BB5DAD116F Compiled: Wed, Dec 2\r\n2015, 22:24:42\r\n- 32 Bit .NET\r\nAnyCPU\r\nEXE Version:\r\nhttps://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/\r\nPage 8 of 10\n\n1.0.0.0 File: del.exe Size: 155736 MD5: E189B5CE11618BB7880E9B09D53A588F SHA256:\r\n97D27E1225B472A63C88AC9CFB813019B72598B9DD2D70FE93F324F7D034FB95 Compiled: Sat, Jan 14\r\n2012, 23:06:53\r\n- 32 Bit EXE Version: 1.61 Signature: Valid Subject: Microsoft Corporation Issuer: Microsoft Code Signing\r\nPCA InternalName: sdelete ProductName: Sysinternal Sdelete The file del.exe is a legitimate Sysinternals\r\nutility that is used to delete files from disk. The file selfdel.exe is invoked in a new thread by the payload. It first\r\nensures that a process named samsa.exe is currently executing. If not, it immediately exits. Next, the file waits for\r\n3 seconds, and then issues the following command: del.exe -p 16 samsam.exe. This invokes the legitimate utility\r\ndel.exe, which is used to delete samsam.exe from disk. However, deleting a file simply marks it as deleted in the\r\nMFT table, which frees up the clusters that were allocated to the file. The file contents would still be present in\r\nthose clusters. To overcome this, the utility actually overwrites the clusters; the -p 16 argument ensures that the\r\nclusters are overwritten 16 times, making forensic recovery of the payload impossible. This technique only applies\r\nto standalone payloads, and not to the variants that involve a runner file to decrypt and execute the payload in\r\nmemory. Once the payload is deleted, selfdel.exe sleeps for 30 seconds, and then deletes del.exe from disk;\r\nhowever, it does not delete itself.\r\nHow CrowdStrike® Falcon Prevent™ Stops Samsam\r\nSamsam is unique in terms of how it is delivered onto a system. The gathering of user credentials to generate\r\nunique RSA public keys ensures that an organization would have to pay for each infected user to decrypt the files.\r\nIn addition, the use of cleanup files for standalone executables, and the fact that other variants run entirely in\r\nmemory, makes it extremely difficult to forensically collect the payload from disk or memory. Despite these\r\nchallenges, Falcon Prevent™ next-gen AV is able to detect and prevent the malware before it can perform any file\r\nencryption as seen below:\r\nFigure 4: Samsam prevented by Falcon Prevent\r\nFalcon Prevent is also able to detect and prevent the dropped file selfdel.exe from executing once loaded by the\r\npayload as shown below:\r\nhttps://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/\r\nPage 9 of 10\n\nFigure 5: Selfdel.exe prevented by Falcon Prevent\r\nThese preventions are based on the behavioral patterns displayed by Samsam in conjunction with CrowdStrike’s\r\nmachine learning algorithm.\r\nAppendix A\r\nTargeted Backup Extensions .abk, .ac, .back, .backup, .backupdb, .bak, .bb, .bk, .bkc, .bke, .bkf, .bkn, .bkp, .bpp,\r\n.bup, .cvt, .dbk, .dtb, .fb, .fbw, .fkc, .jou, .mbk, .old, .rpb, .sav, .sbk, .sik, .spf, .spi, .swp, .tbk, .tib, .tjl, .umb, .vbk,\r\n.vib, .vmdk, .vrb, .wbk Targeted Extensions .jin, .xls, .xlsx, .pdf, .doc, .docx, .ppt, .pptx, .log, .txt, .gif, .png, .conf,\r\n.data, .dat, .dwg, .asp, .aspx, .html, .tif, .htm, .php, .jpg, .jsp, .js, .cnf, .cs, .vb, .vbs, .mdb, .mdf, .bak, .bkf, .java,\r\n.jar, .war, .pem, .pfx, .rtf, .pst, .dbx, .mp3, .mp4, .mpg, .bin, .nvram, .vmdk, .vmsd, .vmx, .vmxf, .vmsn, .vmem,\r\n.gz, .3dm, .3ds, .zip, .rar, .3fr, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads,\r\n.agdl, .ai, .ait, .al, .apj, .arw, .asf, .asm, .asx, .avi, .awg, .back, .backup, .backupdb, .pbl, .bank, .bay, .bdb, .bgt, .bik,\r\n.bkp, .blend, .bpw, .c, .cdf, .cab, .chm, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib,\r\n.class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .csh, .csl, .csv, .dac, .db, .db3, .dbf, .db-journal, .dc2, .dcr, .dcs,\r\n.ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .dot, .docm, .dotm, .dotx, .drf, .drw, .dtd, .dxb, .dxf,\r\n.jse, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fmb, .fhd, .fla, .flac, .flv, .fpx, .fxg, .gray, .grey, .gry, .h,\r\n.hbk, .hpp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .jpe, .jpeg, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m, .m4v,\r\n.max, .mdc, .mef, .mfw, .mmw, .moneywell, .mos, .mov, .mrw, .msg, .myd, .nd, .ndd, .nef, .nk2, .nop, .nrw, .ns2,\r\n.ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil,\r\n.orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pef, .pl, .plc, .pot,\r\n.potm, .potx, .ppam, .pps, .ppsm, .ppsx, .pptm, .prf, .ps, .psafe3, .psd, .pspimage, .ptx, .py, .qba, .qbb, .qbm, .qbr,\r\n.qbw, .qbx, .qby, .r3d, .raf, .rat, .raw, .rdb, .rm, .rw2, .rwl, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx,\r\n.sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd,\r\n.sxg, .sxi, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tlg, .vob, .wallet, .wav, .wb2, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla,\r\n.xlam, .xlk, .xlm, .xlr, .xlsb, .xlsm, .xlt, .xltm, .xltx, .xlw, .ycbcra, .yuv\r\nLearn more about Falcon Prevent Next-Gen AV.\r\nDownload the white paper: Guide to AV Replacement: What You Need to Know Before Replacing Your Antivirus\r\nSolution.\r\nSource: https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/\r\nhttps://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/\r\nPage 10 of 10\n\n.data, .dat, .dwg, .jar, .war, .pem, .asp, .aspx, .html, .pfx, .rtf, .pst, .dbx, .tif, .htm, .php, .mp3, .mp4, .jpg, .jsp, .js, .mpg, .bin, .nvram, .cnf, .cs, .vb, .vmdk, .vbs, .mdb, .mdf, .vmsd, .vmx, .vmxf, .bak, .bkf, .vmsn, .java, .vmem,\n.gz, .3dm, .3ds, .zip, .rar, .3fr, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads,\n.agdl, .ai, .ait, .al, .apj, .arw, .asf, .asm, .asx, .avi, .awg, .back, .backup, .backupdb, .pbl, .bank, .bay, .bdb, .bgt, .bik,\n.bkp, .blend, .bpw, .c, .cdf, .cab, .chm, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib,\n.class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .csh, .csl, .csv, .dac, .db, .db3, .dbf, .db-journal, .dc2, .dcr, .dcs,\n.ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .dot, .docm, .dotm, .dotx, .drf, .drw, .dtd, .dxb, .dxf,\n.jse, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fmb, .fhd, .fla, .flac, .flv, .fpx, .fxg, .gray, .grey, .gry, .h,\n.hbk, .hpp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .jpe, .jpeg, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m, .m4v,\n.max, .mdc, .mef, .mfw, .mmw, .moneywell, .mos, .mov, .mrw, .msg, .myd, .nd, .ndd, .nef, .nk2, .nop, .nrw, .ns2,\n.ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil,\n.orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pef, .pl, .plc, .pot,\n.potm, .potx, .ppam, .pps, .ppsm, .ppsx, .pptm, .prf, .ps, .psafe3, .psd, .pspimage, .ptx, .py, .qba, .qbb, .qbm, .qbr,\n.qbw, .qbx, .qby, .r3d, .raf, .rat, .raw, .rdb, .rm, .rw2, .rwl, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx,\n.sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd,\n.sxg, .sxi, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tlg, .vob, .wallet, .wav, .wb2, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla,\n.xlam, .xlk, .xlm, .xlr, .xlsb, .xlsm, .xlt, .xltm, .xltx, .xlw, .ycbcra, .yuv   \nLearn more about Falcon Prevent Next-Gen AV.     \nDownload the white paper: Guide to AV Replacement: What You Need to Know Before Replacing Your Antivirus\nSolution.       \nSource: https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/       \n   Page 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/"
	],
	"report_names": [
		"an-in-depth-analysis-of-samsam-ransomware-and-boss-spider"
	],
	"threat_actors": [
		{
			"id": "4116df25-aff6-46ee-a5dd-926254a78e89",
			"created_at": "2023-01-06T13:46:38.894033Z",
			"updated_at": "2026-04-10T02:00:03.137353Z",
			"deleted_at": null,
			"main_name": "BOSS SPIDER",
			"aliases": [
				"GOLD LOWELL"
			],
			"source_name": "MISPGALAXY:BOSS SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "1b20199b-07ae-42f1-ad22-bbe2dd471df8",
			"created_at": "2024-06-04T02:03:07.872554Z",
			"updated_at": "2026-04-10T02:00:03.613698Z",
			"deleted_at": null,
			"main_name": "GOLD LOWELL",
			"aliases": [
				"Boss Spider ",
				"CTG-0007 "
			],
			"source_name": "Secureworks:GOLD LOWELL",
			"tools": [
				"Samas"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "eb8697fd-882a-4323-9eb8-8e20222cfd91",
			"created_at": "2022-10-25T16:07:23.416834Z",
			"updated_at": "2026-04-10T02:00:04.589943Z",
			"deleted_at": null,
			"main_name": "Boss Spider",
			"aliases": [
				"Boss Spider",
				"CTG-0007",
				"Gold Lowell"
			],
			"source_name": "ETDA:Boss Spider",
			"tools": [
				"Mimikatz",
				"PsExec",
				"SDelete",
				"SamSam",
				"Samas"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434224,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ced1c6df2415009457e769c288b7612e3e029035.pdf",
		"text": "https://archive.orkl.eu/ced1c6df2415009457e769c288b7612e3e029035.txt",
		"img": "https://archive.orkl.eu/ced1c6df2415009457e769c288b7612e3e029035.jpg"
	}
}