Skip to main content

Operator dossier

samsam (also tracked as Samas-Samsam, samsam.exe, MIKOPONI.exe, RikiRafael.exe) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 13 public victims claimed by this operator between March 28, 2016 and September 28, 2018. SamSam was a financially-motivated ransomware operation that emerged in March 2016, targeting organizations primarily in the United States and Canada with a focus on critical infrastructure sectors including healthcare, government, transportation, and education. The group was linked to Iranian threat actors, with the U.S. Department of Justice indicting two Iranian nationals in 2018 for operating the SamSam ransomware scheme, which was believed to be state-sponsored or state-tolerated cybercriminal activity rather than operating as a traditional Ransomware-as-a-Service model. SamSam operators employed a targeted approach, gaining initial access through brute force attacks against Remote Desktop Protocol (RDP) services and JBoss application servers, then conducting extensive network reconnaissance before deploying their custom ransomware to encrypt multiple systems simultaneously across the victim's network. The group was responsible for several high-profile attacks, including strikes against the City of Atlanta in 2018 and multiple healthcare organizations, with the FBI estimating the group collected over $6 million in ransom payments and caused over $30 million in damages to victims between 2016 and 2018. Following the 2018 indictments and increased law enforcement pressure, SamSam operations significantly diminished, with the group becoming largely inactive by late 2018.

Most-affected countries

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

samsam

aka Samas-Samsam, samsam.exe, MIKOPONI.exe, RikiRafael.exe, showmehowto.exe, SamSam Ransomware, Samas · 13 victims indexed · first seen 10 years ago · last activity 8 years ago

13
Victims indexed
#197 of 364 tracked operators
2y 6m
Active period
Mar 2016 → Sep 2018
2
Countries hit
top United States · 12

At a glance

Status
inactive
Aliases
Samas-Samsam, samsam.exe, MIKOPONI.exe, RikiRafael.exe, showmehowto.exe, SamSam Ransomware, Samas
First seen
10 years ago
Last activity
8 years ago
Primary sector
Government Facilities · 5 hits

About

SamSam was a financially-motivated ransomware operation that emerged in March 2016, targeting organizations primarily in the United States and Canada with a focus on critical infrastructure sectors including healthcare, government, transportation, and education. The group was linked to Iranian threat actors, with the U.S. Department of Justice indicting two Iranian nationals in 2018 for operating the SamSam ransomware scheme, which was believed to be state-sponsored or state-tolerated cybercriminal activity rather than operating as a traditional Ransomware-as-a-Service model. SamSam operators employed a targeted approach, gaining initial access through brute force attacks against Remote Desktop Protocol (RDP) services and JBoss application servers, then conducting extensive network reconnaissance before deploying their custom ransomware to encrypt multiple systems simultaneously across the victim's network. The group was responsible for several high-profile attacks, including strikes against the City of Atlanta in 2018 and multiple healthcare organizations, with the FBI estimating the group collected over $6 million in ransom payments and caused over $30 million in damages to victims between 2016 and 2018. Following the 2018 indictments and increased law enforcement pressure, SamSam operations significantly diminished, with the group becoming largely inactive by late 2018.

References

8 links

External sources curated by the MISP threat-intel community.

Timeline

9 months
2016-03-01T00:00:00+00:00 · 12016-05-01T00:00:00+00:00 · 12017-04-01T00:00:00+00:00 · 12017-09-01T00:00:00+00:00 · 12018-01-01T00:00:00+00:00 · 32018-02-01T00:00:00+00:00 · 22018-03-01T00:00:00+00:00 · 22018-07-01T00:00:00+00:00 · 12018-09-01T00:00:00+00:00 · 1
2016-03-01T00:00:00+00:002018-09-01T00:00:00+00:00

Top countries

🇺🇸 United States
12
🇨🇦 Canada
1

Top sectors

Government Facilities
5
Healthcare and Public Health
4
Education Facilities
2
Transportation Systems
2

MITRE ATT&CK

6 techniques · 5 tactics

Tactics

Initial AccessExecutionPrivilege EscalationLateral MovementImpact

Techniques

  • T1190Exploit Public-Facing Application
  • T1059.003Command and Scripting Interpreter: Windows Command Shell
  • T1068Exploitation for Privilege Escalation
  • T1021.002Remote Services: SMB/Windows Admin Shares
  • T1570Lateral Tool Transfer
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 8 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time samsam posts a victim.

Add samsam to your watchlist — Pro pings you within 5 minutes of any new samsam leak-site post, Telegram callout, or affiliate-rebrand inference.