Samas is a ransomware group first observed in February 2018, operating with primary financial motivation and demonstrating a focused targeting pattern against public sector organizations in the United States. Based on available data, the group has a limited documented victim count of one known target, suggesting either a highly selective operational tempo or limited public attribution of their activities; no definitive country of origin or confirmed affiliation with broader ransomware ecosystems has been publicly established by CISA, FBI, Mandiant, or other reputable threat intelligence sources under this specific group designation. It is worth noting that "SamSam" ransomware, a similarly named and well-documented threat, was extensively profiled by the FBI and CISA as a financially motivated actor employing manual deployment techniques, exploiting vulnerabilities in public-facing applications such as JBoss, and conducting targeted intrusions rather than mass-distribution campaigns, and it is possible this entry represents a variant spelling or related attribution cluster. Given the limited public intelligence available specifically under the "Samas" designation with the parameters provided, analytical confidence in detailed attribution, tooling, or campaign specifics remains low, and analysts should cross-reference with SamSam documentation and broader public sector ransomware reporting for contextual enrichment. The current operational status of this group cannot be definitively confirmed based on publicly available documented sources. The group has been linked to 1 public disclosures across our corpus. First observed on a leak site on February 16, 2018. The operation is currently inactive.
Also tracked as: Samas-Samsam, samsam.exe, MIKOPONI.exe, RikiRafael.exe.
Sector and geography
This disclosure adds to ransomware activity in the Public Sector sector, which has 466 disclosures indexed across all operators we track. Geographically, Davidson County is reported in United States, a country with 3,115 ransomware disclosures in our corpus.
If your organisation is affected
A listing by samas means Davidson County appeared on a ransomware extortion site and data attributed to it has been published. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.
- Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
- Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
- Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
- Report the incident to your national CERT, CISA (United States), as required for your jurisdiction.
- Monitor for the data appearing on samas's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.
How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.