Menu
Browse

Cyber Threat Actor: SamSam Gang

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
United States of America
2 incidents
Profile

The SamSam Gang, also referred to simply as SamSam, is a threat actor identified by the alias SamSam Gang and is associated with operations originating from the United States of America. Public reporting links the group to the use of the SAMSAM ransomware strain, which bears the same name as the actor. The actor’s known activity is limited to a handful of disclosed incidents, the most prominent of which occurred in March 2018.

In the March 2018 incident the SamSam Gang targeted the City of Atlanta, a municipal government entity located in the southeastern United States. The attack encrypted portions of the city’s data and disrupted public‑facing services such as online bill payments and court information access, while leaving critical functions like public safety, water services, airport operations, and employee payroll systems unaffected. The actors explicitly demanded a $51,000 ransom for the decryption keys, indicating a financially motivated objective rather than espionage or pure disruption.

Observed tactics, techniques, and procedures for the SamSam Gang include the deployment of the SAMSAM ransomware family as the primary payload. The ransomware was used to encrypt files on compromised systems, after which the actors presented a ransom note demanding payment in cryptocurrency. No details regarding initial access vectors, lateral movement tools, or post‑exploitation tooling have been made public in the available sources.

Attribution to a specific state sponsor or criminal consortium has not been established in open‑source reporting; the only publicly available geographic indicator is the actor’s location within the United States. The Atlanta ransomware event remains the most cited operation attributed to the SamSam Gang and serves as a representative example of their activity, illustrating their focus on municipal targets in the U.S. and their reliance on ransomware for financial gain.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources