Updated: SamSam Ransomware Virus (Removal Steps and Protection Updates)

SamSam ransomware is a threat that first appeared several months ago and is focused on attacking medical institutions such as hospitals. SamSam ransomware creators have released several different strains of the threat since it was observed for the first time. Therefore, it is associated with a significant number of malicious file extensions. The ransom note names also vary and files such as HOW_TO_DECRYPT_FILES.html, HELP_DECRYPT_YOUR_FILES.html or HELP_FOR_DECRYPT_FILE. Html are likely to be placed in all encrypted folders as well as on the desktop of the victim. Learn more about its impact and how to remove it from this guide.

This article aims to help all victims with the SamSam ransomware virus removal steps as well as the recovery of important encrypted files.

SamSam Ransomware Virus – Manual Removal Guide
Recover Encrypted Files
Skip all steps and download anti-malware tool that will safely scan and clean your PC.

DOWNLOAD SamSam Ransomware Removal Tool

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

SamSam Ransomware Description

The SamSam ransomware appeared several months ago in attack campaigns against hospitals and other medical institutions. This is a dangerous threat because it uses an unusual distribution method making it much more elusive than other ransomware variants. The code of the virus contains features that add stealth protection.

August Update 2017 Recently the infamous SamSam ransomware has been more active. The authors of the threat released a few new variants of the threat that append .mention9823, .moments2900, .breeding123, and .suppose666 file extensions to encrypted files. The latest updates also concern the demanded ransom amount which starts from 1.7 Bitcoin for one infected machine and increases up to 12 BTC when multiple devices need to be decrypted.

Here is an example ransom note of the SamSam ransomware infection:

#What happened to your files?
All of your important files were encrypted with RSA-2048, RSA-2048 is a powerful cryptography algorithm. For more information you can use Wikipedia.
Attention. Don’t rename or edit encrypted files because it will be impossible to decrypt your files.
#How to recover files?
RSA is a asymmetric cryptography algorithm, You need two key
1-Public key: you need it from encryption
2-Private key: you need it for decryption
So you need Private key to recover your files. It’s not possible to recover your files without private key.
#How to get private key?
You can receive your Private Key in 3 easy steps:
Step1: You must send us One Bitcoin for each affected PC to receive Private Key.
Step 2: After you send us one Bitcoin, Leave a comment on our blog with these detail: Your Bitcoin transaction reference + Your computer name.
#What is Bitcoin?
Bitcoin is an innovative payment network and a new kind of money. You can create a Bitcoin account at hxxp://blockchain.info and deposit money into your account and then send us.
#How to buy Bitcoin?
There are many way ti buy Bitcoin and deposit it into your account, You can buy it with WesternUnion, Bank Wire, International Bank transfer, Cash deposit and etc. If you want to pay with your Bussiness bank account you should create a business account in exchangers they don’t accept payment from third party.
#How to find the Bitcoin transaction reference?
Login into your blockchain account -> go to “My transactions” tab -> Click on your transaction -> In “Transaction Summary” page, You will find a “hash” with 64 characters long. Send us this hash with your comment on our blog + you computer name.

SamSam ransomware has the ability to spread to the internal network once it has gained access Upon infection it starts encrypting target user files, rendering them inaccessible. The encryption cipher used is RSA-2048 which makes it effectively unbreakable. The victim has no way of recovering their files and this is used by the hackers to extort large ransom sum from them. The full list of target files include the following:

.3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ai, .ait, .al, .apj, .arw, .asf, .asm, .asp, .aspx, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkf, .bkp, .blend, .bpw, .c, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csv, .dac, .db, .db-journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flv, .fmb, .fpx, .fxg, .gray, .grey, .gry, .h, .hbk, .hpp, .htm, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .jar, .java, .jin, .jpe, .jpeg, .jpg, .jsp, .kbx, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mfw, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .nd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbl, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .php5, .phtml, .pl, .plc, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar,, .rat, .raw, .rdb, .rm, .rtf, .rw2, .rwl, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tib, .tif, .tlg, .txt, .vob, .wallet, .war, .wav, .wb2, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra, .yuv, .zip

Upon encryption a malicious file extension is appended in the end of the original file name. The list of associated eextensions includes:

  • .howcanihelpusir
  • .goforhelp
  • .iloveworld
  • .canihelpyou
  • .only-we_can-help_you
  • .encryptedAES
  • .encryptedRSA
  • .encedRSA
  • .justbtcwillhelpyou
  • .btcbtcbtc
  • .VforVendetta
  • .encmywork
  • .btc-help-you
  • .howcanihelpusir
  • .mention9823
  • .moments2900
  • .breeding123
  • .suppose666
  • The SamSam ransomware does not encrypt victim files if the compromised operating system is older than Windows Vista. The binary file does contains all malware code in itself, as it is not modular in nature. The fact that the ransomware has been designed to infect networks and propagate though the infected hosts makes it a very dangerous threat.

    Another peculiar fact about this particular strain is that it asks a very large sum for the decryption key. Individual users need to pay the sum of 1.5 Bitcoins per infected computer. The hacker operators also propose decryption of all infected machines on a particular network for the total sum of 22 Bitcoins.

    Security experts have monitored some of the target Bitcoin wallet addresses and have noticed that victims have paid the attackers lucrative amounts of money. This makes the SamSam Ransomware one of the most efficient threats this year.

    There is a decryptor released for the SamSam ransomware which has been devised by security experts who have analyzed the threat. Click here to download it.

    Updates

    A fresh piece of information related to SamSam ransomware virus has come out to light. The security researcher Michael Gillespie gave public evidence of a new variant of SamSam ransomware by a submitting a tweet post through his Twitter profile.

    What’s new?

    Upon encryption, the latest SamSam malware is designed to append the malicious file extension .howcanihelpusir to the infected files. Another new feature is the file name of its ransom note. SamSam ransomware drops a file called READ-V-HLP-YOU.html during infection. It contains the whole ransom message that is listed above.

    July Update 2017 Recently the infamous SamSam ransomware has been more active. The authors of the threat released a few new variants of the threat that append .mention9823, .moments2900, .breeding123, and .suppose666 file extensions to encrypted files. The latest updates also concern the demanded ransom amount which starts from 1.7 Bitcoin for one infected machine and increases up to 12 BTC when multiple devices need to be decrypted.

    SamSam Ransomware Virus Distribution

    The SamSam Ransomware is delivered through the JexBoss open-source tool for testing and exploiting security vulnerabilities. The attackers have used various weaknesses in the JBoss Application Server which apparently was used by the medical institutions. Most other ransomware threats depend on distribution via large-scale spam email campaigns that employ social engineering and phishing tricks.

    Remove SamSam Ransomware Virus and Restore Data

    WARNING! Manual removal of SamSam Ransomware Virus requires being familiar with system files and registries. Removing important data accidentally can lead to permanent system damage. If you don’t feel comfortable with manual instructions, download a powerful anti-malware tool that will scan your system for malware and clean it safely for you.

    DOWNLOAD Anti-Malware Tool

     
    SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

    SamSam Ransomware Virus – Manual Removal Steps

    Start the PC in Safe Mode with Network

    This will isolate all files and objects created by the ransomware so they will be removed efficiently. The steps bellow are applicable to all Windows versions.

    1. Hit the WIN Key + R

    2. A Run window will appear. In it, write msconfig and then press Enter

    3. A Configuration box shall appear. In it Choose the tab named Boot

    4. Mark Safe Boot option and then go to Network under it to tick it too

    5. Apply -> OK

    Show Hidden Files

    Some ransomware threats are designed to hide their malicious files in the Windows so all files stored on the system should be visible.

    1. Open My Computer/This PC

    2. Windows 7

      – Click on Organize button
      – Select Folder and search options
      – Select the View tab
      – Go under Hidden files and folders and mark Show hidden files and folders option

    3. Windows 8/ 10

      – Open View tab
      – Mark Hidden items option

    how to make hidden files visible in Windows 8 10 bestsecuritysearch instructions

    4. Click Apply and then OK button

    Enter Windows Task Manager and Stop Malicious Processes

    1. Hit the following key combination: CTRL+SHIFT+ESC

    2. Get over to Processes

    3. When you find suspicious process right click on it and select Open File Location

    4. Go back to Task Manager and end the malicious process. Right click on it again and choose End Process

    5. Next, you should go folder where the malicious file is located and delete it

    Repair Windows Registry

    1. Again type simultaneously the WIN Key + R key combination

    2. In the box, write regedit and hit Enter

    3. Type the CTRL+ F and then write the malicious name in the search type field to locate the malicious executable

    4. In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys

    Click for more information about Windows Registry and further repair help

    Recovery Encrypted Files

    WARNING! All files and objects associated with SamSam Ransomware Virus should be removed from the infected PC before any data recovery attempts. Otherwise the virus may encrypt restored files. Furthermore, a backup of all encrypted files stored on external media is highly recommendable.

    DOWNLOAD [[email protected]].aleta Virus Removal Tool

    SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

    1. Use present backups

    2. Use professional data recovery software

    Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.

    3. Using System Restore Point

      – Hit WIN Key
      – Select “Open System Restore” and follow the steps

    restore-files-using-windows-system-restore-point

    4. Restore your personal files using File History

      – Hit WIN Key
      – Type restore your files in the search box
      – Select Restore your files with File History
      – Choose a folder or type the name of the file in the search bar
      – Hit the “Restore” button

    Preventive Security Measures

  • Enable and properly configure your Firewall.
  • Install and maintain reliable anti-malware software.
  • Secure your web browser.
  • Check regularly for available software updates and apply them.
  • Disable macros in Office documents.
  • Use strong passwords.
  • Don’t open attachments or click on links unless you’re certain they’re safe.
  • Backup regularly your data.
  • How disturbing is this problem?

    Avatar

    Author : Martin Beltov

    Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


    Related Posts

    Leave a Reply

    Your email address will not be published. Required fields are marked *