Operator dossier

samsam (also tracked as Samas-Samsam, samsam.exe, MIKOPONI.exe, RikiRafael.exe) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 12 public victims claimed by this operator between March 28, 2016 and September 28, 2018. SamSam was a financially-motivated ransomware operation that emerged in March 2016, targeting organizations primarily in the United States and Canada with a focus on critical infrastructure sectors including healthcare, government, transportation, and education. The group was linked to Iranian threat actors, with the U.S. Department of Justice indicting two Iranian nationals in 2018 for operating the SamSam ransomware scheme, which was believed to be state-sponsored or state-tolerated cybercriminal activity rather than operating as a traditional Ransomware-as-a-Service model. SamSam operators employed a targeted approach, gaining initial access through brute force attacks against Remote Desktop Protocol (RDP) services and JBoss application servers, then conducting extensive network reconnaissance before deploying their custom ransomware to encrypt multiple systems simultaneously across the victim's network. The group was responsible for several high-profile attacks, including strikes against the City of Atlanta in 2018 and multiple healthcare organizations, with the FBI estimating the group collected over $6 million in ransom payments and caused over $30 million in damages to victims between 2016 and 2018. Following the 2018 indictments and increased law enforcement pressure, SamSam operations significantly diminished, with the group becoming largely inactive by late 2018.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

samsam

aka Samas-Samsam, samsam.exe, MIKOPONI.exe, RikiRafael.exe, showmehowto.exe, SamSam Ransomware, Samas · 12 victims indexed · first seen 10 years ago · last activity 8 years ago

Victims indexed

#194 of 348 tracked operators

2y 6m

Active period

Mar 2016 → Sep 2018

Countries hit

top US · 11

At a glance

Status: inactive
Aliases: Samas-Samsam, samsam.exe, MIKOPONI.exe, RikiRafael.exe, showmehowto.exe, SamSam Ransomware, Samas
First seen: 10 years ago
Last activity: 8 years ago
Primary sector: Healthcare and Public Health · 4 hits

About

SamSam was a financially-motivated ransomware operation that emerged in March 2016, targeting organizations primarily in the United States and Canada with a focus on critical infrastructure sectors including healthcare, government, transportation, and education. The group was linked to Iranian threat actors, with the U.S. Department of Justice indicting two Iranian nationals in 2018 for operating the SamSam ransomware scheme, which was believed to be state-sponsored or state-tolerated cybercriminal activity rather than operating as a traditional Ransomware-as-a-Service model. SamSam operators employed a targeted approach, gaining initial access through brute force attacks against Remote Desktop Protocol (RDP) services and JBoss application servers, then conducting extensive network reconnaissance before deploying their custom ransomware to encrypt multiple systems simultaneously across the victim's network. The group was responsible for several high-profile attacks, including strikes against the City of Atlanta in 2018 and multiple healthcare organizations, with the FBI estimating the group collected over $6 million in ransom payments and caused over $30 million in damages to victims between 2016 and 2018. Following the 2018 indictments and increased law enforcement pressure, SamSam operations significantly diminished, with the group becoming largely inactive by late 2018.

References

8 links

External sources curated by the MISP threat-intel community.

Timeline

9 months

2016-03-01T00:00:00+00:002018-09-01T00:00:00+00:00

Top countries

🇺🇸 US

🇨🇦 CA

US dossier →CA dossier →

Top sectors

Healthcare and Public Health

Government Facilities

Transportation Systems

Education Facilities

Healthcare and Public Health dossier →Government Facilities dossier →Transportation Systems dossier →Education Facilities dossier →

MITRE ATT&CK

6 techniques · 5 tactics

Tactics

Initial AccessExecutionPrivilege EscalationLateral MovementImpact

Techniques

T1190Exploit Public-Facing Application
T1059.003Command and Scripting Interpreter: Windows Command Shell
T1068Exploitation for Privilege Escalation
T1021.002Remote Services: SMB/Windows Admin Shares
T1570Lateral Tool Transfer
T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 8 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.