Information about SamSam ransomware

In various national and international media is currently being warned of a ransomware attack called SamSam. SamSam has been circulating for at least 1 year, but now gets attention in the national media because of the fact that some Dutch organisations are affected by this variant of malware and are now experiencing negative consequences.

We inform you about the impact of this on your organization and how ON2IT can support you by taking corrective measures.

Palo Alto Networks

Palo Alto Networks Next-Generation Firewalls block these brute force attempts [1] and of course Palo Alto Networks TRAPS already protects against software that has ransomware characteristics [2].


This ransomware has been circulating for a while, and has already been the subject of research [3] by various parties. Unlike a worm or virus, the ransomware does not spread by itself. but is manually placed on publicly accessible systems of organizations by the attackers. Further reports show that the attackers initially enter by “brute forcing” (guessing usernames and passwords) of accounts on Microsoft RDP servers accessible from the internet [4].


What differentiates SamSam from other crypto-lockers is that the attackers do not immediately strike as soon as they have compromised a system. They first try to propagate the malware to other systems and do research on the organization they have in sight. They gauge the type of organization and the available data and with this information they adjust the ‘ransom’ that is demanded.


Palo Alto Networks equipment proactively blocking this ransomware. In addition to that, the ON2IT SOC remains alert and extra alert. We keep a close eye on the developments around SamSam and inform you where necessary. In any case, we recommend you use complex passwords (or rather, multi-factor authentication) and limit public access to internal systems as much as possible.

If you have additional questions about this vulnerability, please contact ON2IT SOC. We can be reached via +31 (0)88-2266201 and


[1] (threat ID 40021)