S0370: SamSam
Analyst context for executives and security teams
SamSam matters because ATT&CK describes it as Windows ransomware whose variants have required operator interaction to execute core components. For leaders, that makes it more than a commodity malware label: it points to a ransomware scenario where business interruption can depend on how quickly defenders identify command execution, obfuscated payloads, file deletion, and data encryption activity before availability is lost.
Executive priority
Prioritize SamSam as a resilience and incident-readiness use case: confirm Windows endpoint visibility, ransomware response playbooks, backup recoverability, and evidence collection for encryption and cleanup activity. The decision value is whether the organization can prove it would see and respond to operator-driven ransomware behaviors, not whether it has a signature for the SamSam name.
Technical view
ATT&CK provides no official detection text for SamSam, so validation should be behavior-led using the relationships supplied: Encrypted/Encoded File and Junk Code Insertion for obfuscation, Windows Command Shell for execution, File Deletion for cleanup, and Data Encrypted for Impact for ransomware outcome. SOC and IR teams should test whether Windows telemetry captures command-shell execution with command-line context, suspicious file creation/modification patterns, deletion of dropped artifacts, and rapid encryption-like changes to local or reachable data stores.
Likely telemetry
- Windows endpoint process creation events, especially cmd.exe with parent/child process and command-line details
- EDR or host security alerts for ransomware-like file modification and encryption behavior
- File system telemetry showing high-volume writes, renames, extension changes, or inaccessible files
- File deletion evidence from endpoint logs, EDR, file integrity monitoring, or forensic artifacts
- Malware or static-analysis findings indicating encrypted/encoded content or junk-code obfuscation
Detection direction
- Do not rely only on known SamSam indicators; ATT&CK relationships indicate behaviors that can be generalized across ransomware operations.
- Validate Windows command-shell monitoring, including command-line capture, parent process lineage, user context, and remote or administrative execution context where available.
- Tune for combinations of execution plus file modification/deletion activity to reduce false positives from normal administration or software deployment.
- Assess whether obfuscation weakens static detections; supplement signature-based controls with behavioral and endpoint telemetry.
- Create investigation pivots from encryption events to preceding command execution and cleanup activity so responders can reconstruct sequence and scope.
Mitigation priorities
- Strengthen Windows endpoint hardening and monitoring around command-shell execution and administrative activity.
- Maintain tested, protected backups and restoration procedures because the related impact behavior is data encryption for availability disruption.
- Ensure incident response playbooks cover ransomware containment, evidence preservation, file deletion investigation, and recovery decision-making.
- Use behavior-based detection engineering for obfuscation, command execution, cleanup, and encryption rather than depending solely on malware naming.
- Review privileged access and operational segmentation assumptions locally, since the supplied ATT&CK object does not provide detailed initial access or lateral movement context.
Analyst notes and limits
The official object identifies SamSam as ransomware appearing in early 2016 and notes that variants required manual operator interaction for some core components. The most useful defensive framing is therefore a Windows, behavior-driven ransomware readiness scenario anchored to the supplied ATT&CK relationships.
MITRE provides no official detection text, no object-level tactics, no aliases, and no detailed procedure examples in the supplied fields. Local telemetry, asset criticality, backup architecture, and incident history are required to determine actual exposure or coverage.
SamSam
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | SamSam has been seen deleting its own files and payloads to make analysis of the attack more difficult.CitationSophos SamSam Apr 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | SamSam has been seen using AES or DES to encrypt payloads and payload components.CitationSophos SamSam Apr 2018CitationTalos SamSam Jan 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | SamSam uses custom batch scripts to execute some of its components.CitationSophos SamSam Apr 2018 |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | SamSam has used garbage code to pad some of its malware components.CitationSophos SamSam Apr 2018 |
| Enterprise | T1486 | Data Encrypted for Impact | SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files.CitationSophos SamSam Apr 2018 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 4bdacccca70f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
US-CERT SamSam 2018
US-CERT. (2018, December 3). Alert (AA18-337A): SamSam Ransomware. Retrieved March 15, 2019.
Open source URL -
[2]
Talos SamSam Jan 2018
Ventura, V. (2018, January 22). SamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks. Retrieved April 16, 2019.
Open source URL -
[3]
Sophos SamSam Apr 2018
Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.
Open source URL -
[4]
Symantec SamSam Oct 2018
Symantec Security Response Attack Investigation Team. (2018, October 30). SamSam: Targeted Ransomware Attacks Continue. Retrieved April 16, 2019.
Open source URL -
[5]
Samas
(Citation: US-CERT SamSam 2018)
-
[6]
mitre-attack S0370Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.