Severity scale:  

SamSam ransomware virus. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

SamSam ransomware virus has been updated one more time

SamSam virus

SamSam is a ransomware-type viruses family which was discovered in June 2016. During the lifetime, this crypto-malware has been updated several times. The recent version has been noticed spreading in October 2017 as a friendly2.exe file. This version is still under investigation, but according to the latest data, it appends .loveransisgood file extension.

However, it the newest version emerged only two months after the last update. On August 2017, new versions attach .country82000, .supported2017, .prosperous666, and .disposed2017[1] extensions to the targeted files. What is more, the recent renewal provides data recovery instructions in a new PLEASE-README -AFFECTED-FILES.html file. 

Therefore, you should be especially wary of the downloaded content from there. Luckily, the malware is detectable as Trojan.Ransom.SamSamMSIL/Filecoder_Samas.B!trBackdoor.Ratenjay.Gen!cMsil.Trojan.Dothetuk.Tccf, etc[2]. Regarding the latter trojan name, the malware seems to contain backdoor elements. Therefore, SamSam removal should become a top priority. Reimage or Malwarebytes Anti Malware will speed up the process.

The virus was first detected after it infected several hospitals in the United States and encrypted their key data system in 2016.[3] MedStar hospital was in the most horrible position after this ransomware attack because it was required to pay 45 Bitcoins or $18,500 in exchange for encrypted data. Fortunately, IT specialists in this hospital found data backups saved in other locations. Hence, cyber criminals did not receive the money.

The developers[4] of the original version seem to have sought inspiration from the famous Alan Moore's 1989 comic book character – V. During data encryption it attaches .VforVendetta file extension to the targeted files. However, it’s just one of the possible extensions that might damage pictures, documents, audio and video files.

Other variants of SamSam ransomware appends such file extensions:

  • .breeding123;
  • .country82000;
  • .disposed2017;
  • .happenencedfiles;
  • .helpmeencedfiles;
  • .howcanihelpusir;
  • .iaufkakfhsaraf;
  • .mention9823;
  • .myransext2017;
  • .noproblemwedecfiles;
  • .notfoundrans;
  • .prosperous666;
  • .powerfulldecryp;
  • .supported2017;
  • .suppose666;
  • .Whereisyourfiles;
  • .wowreadfordecryp;
  • .wowwhereismyfiles;
  • .loveransisgood.

Different variants of the virus might drop different versions of ransom notes. However, at the moment, victims might receive IF_WANT_FILES_BACK_PLS_READ.html, 000-PLEASE-READ-WE-HELP.html, 000-No-PROBLEM-WE-DEC-FILES.html, READ-FOR-DECCCC-FILESSS.html or PLEASE-README -AFFECTED-FILES.html ransom notes which tell that they need to pay the ransom.

We want to point out that it’s important to remove SamSam virus from the computer BEFORE it starts data encryption. Reimage will help you to stop and remove ransomware. However, if it has already begun the encryption procedure, make sure you use data recovery steps given below instead of paying the ransom.

It seems that this threat has been relying on vulnerability found in JBoss application which is known as WildFly at the moment. It has to be patched to prevent a need of SamSam removal.

The creators of this virus have also set it to create RSA pair of encryption algorithms themselves. Other infamous threats of the same kind automatically create public and private keys by implementing a command and control server. In this case, the hackers generate the keys themselves.

The latter factor might complicate the work of virus researchers who are trying to come up with the decryption keys for this particular ransomware. As a result, the virus which is alternatively known as Samas DR, the SamSam and MSIL.B, has also attracted the attention of FBI.

It officially warned the corporations and businesses to increase their cyber security. [5] This was a direct response to hackers‘ ambitions to target hospitals that were similarly attacked by Locky virus during its first days of distribution. Taking back at the history of this threat, we should remember that it struck the world by assaulting Hollywood Medical Centre. Thus, it is crucial to improve the security despite if you are an independent or corporate user. In order to do that, install an anti-spyware program, for instance, Reimage or Malwarebytes Anti Malware

Developers of SamSam continue upgrading the virus

One of the first SamSam variants that appeared in the wild used to add .notfoundrans file extensions to all encrypted files and create a ransom note called 006-READ-FOR-HELLPP.html. Later on, the virus switched to using .wowreadfordecryp extension to every encrypted file.

Additionally, it leaves the ransom note called 000-WOW-READ-FOR-DECRYP.html. On January 4, 2017, virus emerged with a ransomware that adds .wowwhereismyfiles extensions to encoded records and drops a ransom note titled as 001-PLS-DEC-MY-FILES.html. Another variant spotted on the 1st of November 2017 is recognized from .helpmeencedfiles file extensions and HELP-ME-ENCED-FILES.html ransom note;

Just before New Year's Eve, Sam Sam attacks with a virus that renames files by adding .Whereisyourfiles file extensions and then leaves WHERE-YOUR-FILES.html ransom note on the system. On December 25, SamSam virus appeared as a virus that appends .happenencedfiles to files and leaves information about the data recovery options in 002-HAPPEN-ENCED-FILES.html file.

Less than a week earlier, on December 20, a variant adding .theworldisyours extensions and leaving CHECK-IT-HELP-FILES.html was spotted. December 15, 2016, reveals a new version that is recognized from .howcanihelpusir and READ-V-HLP-YOU.html ransom note. The same month, on December 8, SamSam appears with .VforVendetta extensions and 000-PLEASE-READ-WE-HELP.html ransom notes;

In January 2017, a new version of the virus has been detected. It appends .powerfulldecrypt file extension to the corrupted files. This time the instructions are delivered in WE-MUST-DEC-FILES.html web page. What is more, SamSam hijack occurs when a trojan enters an operating system. According to the results of the analysis, security programs detect the virus under different trojan names. Some of them are Trojan[Ransom]/MSIL.Samas, Ransom.FileCryptor, and Ransom:Win32/FileCryptor. Update your security software not to get infected with this virus.

It didn’t take long for hackers to upgrade ransomware one more time. In the middle of January 2017, the new variant of SamSam was noticed appending a new file extension and delivering and the ransom note. Now it adds .noproblemwedecfiles file extension and informs about the necessity to pay the ransom in the 000-No-PROBLEM-WE-DEC-FILES.html file.

Another version of SamSam was found in the beginning of March. It uses .iaufkakfhsaraf file extension and drops the ransom note, called as: IF_WANT_FILES_BACK_PLS_READ.html.

On June 2017 SamSam ransomware has been updated one more time. The recent variant is executed from the wound2.exe file. It appends .moments2900 file extension to the affected data and then drops a ransom note called .READ-FOR-DECCCC-FILESSS.html.

On August SamSam started using three new file extensions: .country82000, .supported2017 and .prosperous666. The ransom note has been updated too. Currently, ransomware delivers recovery instructions in PLEASE-README -AFFECTED-FILES.html file.

After a month, the malware developers struck again with a new variation which leaves its distinctive mark – .myransext2017 file extension. Furthermore, the demands are presented in 005-DO-YOU-WANT-FILES.html file. No other changes are recorded The malware is likely to spread via spam emails and infected applications as well as trojans.

On October 2017, malware researchers noticed another variant of Sam Sam spreading on Web. This time ransomware travels as a friendly2.exe file. On the affected device it should act the same as previous versions of the virus. It encrypts files using sophisticated algorithm and demands to pay the ransom.

The significant feature of the ransomware is its added file extension. This time SamSam locks files with .loveransisgood extension.

Methods used for spreading crypto-malware

This threat has been distributed in different ways in contrast to the majority of ransomware. Spam emails and phishing scams have become a popular method to convince users into opening the required attachment which usually contained the ransomware within.

In the case of SamSam, it has been reported spreading via malicious servers and specific downloaders. Furthermore, JBoss application was under the target the of cyber criminals until it changed its name to WildFly[6]. Because of it s vulnerability, the ransomware has been capable of infecting the entire network and invading several computers at the same time. Now it is unknown whether the malware is capable of infecting Wildfly or not.

In simpler terms, the traffic of SamSam virus starts with pen-testing/attack server. It looks for JBoss vulnerabilities by employing a special tool called JexBoss. Once the vulnerabilities are detected, it drops Trojan:BAT/Samas.B [7] and Trojan:BAT/Samas.C.[8] to steal personal credentials. After obtaining such data, the hackers launch their ransomware as a psexec.exe file and initiate the attack of the ransomware. If you are among its victims, let us proceed to SamSam removal.

Terminate SamSam from the device correctly

As we have discussed the main features of this file-encrypting malware, completing SamSam removal might seem a troublesome and arduous job. However, if you employ the anti-malware program, the elimination process does not take long.

We suggest eliminating the virus with one of these programs Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware. Security programs cannot only delete all ransomware-related files but keep your computer protected from cyber threats in the future. 

For it to maintain its functionalities flawlessly, you need to update the software daily. If you cannot remove SamSam virus because of the inability to launch the security program or access other important OS programs, take a look at the recovery guidelines below.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove SamSam ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall SamSam ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual SamSam virus Removal Guide:

Remove SamSam using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

In some cases, ransomware prevents users from accessing or running security programs. Thus, you have to reboot your computer to the Safe Mode with Networking as shown below. Then repeat system scan.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove SamSam

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete SamSam removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove SamSam using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

This method also helps to disable the virus in order to run automatic ransomware removal.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of SamSam. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that SamSam removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove SamSam from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by SamSam ransomware, you can try decrypting them only after you remove the ransomware. For that, make sure you choose one of the following methods:

If your files are encrypted by SamSam, you can use several methods to restore them:

Recover your files encrypted by SamSam virus with the help of Data Recovery Pro

If you are infected with SamSam virus, you can try using Data Recovery Pro to recover your encrypted files. This application is widely known for helping people revive their accidentally deleted files and similar data.

Use Windows Previous Versions feature to recover separate files encrypted by SamSam ransomware

If you have files that are very important to you, you can try recovering them with the help of Windows Previous Versions feature. However, to use it, you need to make sure that System Restore function was enabled before the appearance of SamSam.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

SamSam decrypter

At the moment, there is a SamSam decrypter available on the Internet, however, since Google SafeBrowsing considers it dangerous, we cannot share a link to it here. We will update the article as soon as a 100% safe and official decrypter appears. Be patient!

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from SamSam and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions


Removal guides in other languages

  • BruceAl

    yeah..hospitals are the right companies to hijack. The hackers could aim at the black market instead.

  • Roger48

    They are becoming too powerful.

  • Sammy

    So do anti-virus programs work?

  • Liz

    Smart move. Now they are shifting to networks…

  • Billy.Joel

    My friend got this virus packed in spam.