Severity scale:  

SamSam ransomware virus. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

SamSam ransomware — dangerous strain of viruses which target large-scale organizations for money extortion

SamSam virus
SamSam virus is ransomware-type infection which particularly targets well-known organizations.

Questions about SamSam ransomware virus

SamSam ransomware is a file-encrypting virus which uses RSA 2048 ciphers for data encryption. Experts have first discovered the malware in June 2016 and since then it has been actively targeting large-scale organizations, such as hospitals or medical testing companies, like LabCorp. SamSam ransomware family is highly sophisticated and dangerous. In fact, it currently uses 12 different file extensions alongside unique ransom notes. After it completes file encryption, victims are demanded to pay a specific amount of money as a ransom for SamSam decryption tool. 

Summary of the cyber threat
Name SamSam
Type Ransomware
Danger level High. Makes system changes and encrypts files
Release date June 2016
Cryptography RSA-2048
Appended extensions .weapologize, .AreYouLoveMyRansFile, .breeding123, .country82000, .disposed2017, .fucku, .happenencedfiles, .helpmeencedfiles, .howcanihelpusi, .iaufkakfhsaraf, .mention9823, .myransext2017, .noproblemwedecfiles, .notfoundrans, .prosperous66, .powerfulldecryp, .supported2017, .suppose666, .VforVendetta, .Whereisyourfiles, .wowreadfordecryp, .wowwhereismyfiles, .loveransisgood.
Ransom notes 0009-SORRY-FOR-FILES.html,
Ransom Varies. Some versions ask to pay 1.7 Bitcoins for the computer; others demand 45 BTC for the whole network.
To uninstall SamSam ransomware, install Reimage and run a full system scan

SamSam ransomware was detected after it infected several hospitals in the United States[1] in 2016. MedStar hospital was in the worst position after this ransomware attack because it was required to pay 45 Bitcoins or $18,500 in exchange for the encrypted data. Fortunately, IT specialists in this hospital managed to remove SamSam virus and find backups of encrypted data and used them to recover affected files. Hence, cybercriminals did not receive the money. 

Therefore, the main targets of the malware are organizations and businesses. FBI has officially warned the corporations and businesses to increase their cybersecurity.[2] According to the latest information, malware relies on the targeted attacks and does not seem to infect random computers. The functionality of the virus requires attackers participation – he or she has to enter a specific password to begin the attack.[3]

SamSam virus is identified by major security program as Trojan.Ransom.SamSamMSIL/Filecoder_Samas.B!trBackdoor.Ratenjay.Gen!cMsil.Trojan.Dothetuk.Tccf, etc.[4] However, the virus is designed to bypass the computer's security. Therefore, it's not enough to install reputable security software to avoid ransomware attack. The virus executable is dropped on the system when a victim opens a malicious email attachment.

SamSam ransomware is known to rely on fake email messages pretending to be notifications from UPS or similar delivery company. Once inside the system, ransomware encrypts files and provides a special email address (, etc.) to contact its developers. The data is typically encrypted with the RSA-2048 encryption algorithm, so there is no chance to guess the code needed for its decryption.

The virus has been updated a couple of times. Currenntly, it appends one of the following file extensions:

  • .weapologize;
  • .AreYouLoveMyRansFile;
  • .breeding123;
  • .country82000;
  • .disposed2017;
  • .fucku;
  • .happenencedfiles;
  • .helpmeencedfiles;
  • .howcanihelpusir;
  • .iaufkakfhsaraf;
  • .mention9823;
  • .myransext2017;
  • .noproblemwedecfiles;
  • .notfoundrans;
  • .prosperous666;
  • .powerfulldecryp;
  • .supported2017;
  • .suppose666;
  • .VforVendetta
  • .Whereisyourfiles;
  • .wowreadfordecryp;
  • .wowwhereismyfiles;
  • .loveransisgood.

Different variants of the virus might drop different versions of ransom notes. However, at the moment victims might receive one of these ransom notes in:

  • 0009-SORRY-FOR-FILES.html,
  • 000-PLEASE-READ-WE-HELP.html,
  • 000-No-PROBLEM-WE-DEC-FILES.html,
  • 006-READ-FOR-HELLPP.html,

SamSam ransom payment website
SamSam ransomware has its own website to help victims pay the ransom. Although, it is not recommended under any circumstances.

However, after opening any of the above-mentioned ransom notes, you should see such warning:

#What happened to your files?
All your files encrypted with RSA-2048 encryption. For more information search in Google “RSA Encryption.”
#How to recover files?
RSA is a asymmetric cryptographic algorithm, You need one key for encryption and one key for decryption
So you need Private key to recover your files.
It’s not possible to recover your files without private key
#How to get private key?
You can get your private key in 3 easy step:
Step1: You must send us 1,7 Bitcoin for each affected PC or 29 BitCoins to receive ALL Private Keys for ALL affected PCs.
Step 2: After you send us 1,7 Bitcoin, Leave a comment on our Site with this detail: Just write your “host name” in your comment.
* Your host name is: XXXXXXXXXXXX

However, paying the ransom is not recommended. Crooks are known for not giving working decryption software and putting victims into bigger problems. Therefore, it is recommended to remove SamSam ransomware instead of taking shady cyber criminals' offers to recover files. In some cases, malware fails to delete Shadow Volume Copies, and files can be restored with third-party tools, but first, you need to get rid of the virus.

SamSam removal requires using anti-malware software. Use professional tools like Reimage or Plumbytes Anti-MalwareNorton Internet Security to clean the affected device. However, if you cannot download or run security software, you should reboot the affected machine to Safe Mode with Networking as we have explained at the end of this article.

LabCorp: Ransomware hits one of the largest medical testing companies in US

LabCorp, one of the most prominent medical diagnostics company, has recently reported about a suspicious activity on their network on July 14. At that time, IT specialists couldn't identify the cause of it. Although, now the official report from the LabCorp confirms about a ransomware attack, SamSam in particular. 

Luckily, security experts have managed to shut down affected parts of the system in 50 minutes and prevent further damage. Currently, the recovery process has started and the company already operates at 90-percent capacity. However, some clients may not be able to access test results as a result of SamSam ransomware attack. 

According to the analysis, SamSam virus was infiltrated on the company's network via Brute Force against Remote Desktop Protocol (RDP). Thanks to quick response by cybersecurity specialists, none of the customers' information was stolen. Although, the ransomware managed to encrypt the following parts of the network:

  • 7,000 systems;
  • 1,900 servers;
  • 350 production servers.

The evolution of SamSam ransomware

First SamSam ransomware version has been discovered using .notfoundrans file extension to mark encrypted data. Additionally, users received 006-READ-FOR-HELLPP.html file which was identified as a ransom note. Later, the attackers switched from the previous suffix to .wowreadfordecryp. 

Additionally, it leaves the ransom note called 000-WOW-READ-FOR-DECRYP.html. On January 4, 2017, virus emerged with a ransomware that adds .wowwhereismyfiles extensions to encoded records and drops a ransom note titled as 001-PLS-DEC-MY-FILES.html. Another variant spotted on the 1st of November 2017 is recognized from .helpmeencedfiles file extensions and HELP-ME-ENCED-FILES.html ransom note;

Just before New Year's Eve, Sam Sam attacks with a virus that renames files by adding .Whereisyourfiles file extensions and then leaves WHERE-YOUR-FILES.html ransom note on the system. On December 25, SamSam virus appeared as a virus that appends .happenencedfiles to files and leaves information about the data recovery options in 002-HAPPEN-ENCED-FILES.html file.

Less than a week earlier, on December 20, a variant adding .theworldisyours extensions and leaving CHECK-IT-HELP-FILES.html was spotted. December 15, 2016, reveals a new version that is recognized from .howcanihelpusir and READ-V-HLP-YOU.html ransom note.

The developers[5] of the original version seem to have sought inspiration from the famous Alan Moore's 1989 comic book character – V. During data encryption it attaches .VforVendetta file extension to the targeted files. However, it’s just one of the possible extensions that might damage pictures, documents, audio and video files.

In January 2017, a new version of the virus has been detected. It appends .powerfulldecrypt file extension to the corrupted files. This time the instructions are delivered in WE-MUST-DEC-FILES.html web page. What is more, SamSam launches when a trojan enters an operating system. According to the results of the analysis, security programs detect the virus under different trojan names. Some of them are Trojan[Ransom]/MSIL.Samas, Ransom.FileCryptor, and Ransom:Win32/FileCryptor. Update your security software not to get infected with this virus.

It didn’t take long for hackers to upgrade ransomware one more time. In the middle of January 2017, the new variant of SamSam was noticed appending a new file extension and delivering and the ransom note. Now it adds .noproblemwedecfiles file extension and informs about the necessity to pay the ransom in the 000-No-PROBLEM-WE-DEC-FILES.html file.

SamSam ransomware attack
SamSam gives specific guidelines showing how to recover encrypted data.

Another version of SamSam was found at the beginning of March. It uses .iaufkakfhsaraf file extension and drops the ransom note, called as: IF_WANT_FILES_BACK_PLS_READ.html.

On June 2017 the ransomware has been updated one more time. The recent variant is executed from the wound2.exe file. It appends .moments2900 file extension to the affected data and then drops a ransom note called .READ-FOR-DECCCC-FILESSS.html.

On August 2017, security experts detected newly-released versions that attached .country82000, .supported2017, .prosperous666, and .disposed2017[6] extensions. To contact their victims, these viruses used PLEASE-README -AFFECTED-FILES.html file. 

After a month, the malware developers struck again with a new variation which leaves its distinctive mark – .myransext2017 file extension. Furthermore, the demands are presented in 005-DO-YOU-WANT-FILES.html file. No other changes are recorded The malware is likely to spread via spam emails and infected applications as well as trojans.

On October 2017, malware researchers noticed another variant of Sam Sam spreading on Web. This time ransomware travels as a friendly2.exe file. On the affected device it should act the same as previous versions of the virus. It encrypts files using sophisticated algorithm and demands to pay the ransom.

The significant changes made in the latest versions of this ransomware are related to file extension used by it to mark affected files. This time, SamSam locks files with .loveransisgood, .fucku and .areyoulovemyrans extensions.

Sophisticated infections are distributed in multiple ways

The key difference of this file-encrypting from other ransomware-type infections is that it uses targeted attacks. In other terms, it does not aim to infect the computers of regular users rather than target large-scale organizations. Thus, the developers of the virus create unique spam emails to infiltrate the networks of well-known firms. 

This threat has been distributed using other methods too. The most shocking discovery is that this virus has been relying on vulnerability found in JBoss application. Alternatively known as WildFly,[7] it helped the virus infect the entire network and invade several computers at the same time. 

When spreading with the help of this method, the virus uses a special tool called JexBossooks to look for JBoss vulnerabilities. Once the vulnerabilities are detected, it drops Trojan:BAT/Samas.B [8] and Trojan:BAT/Samas.C.[9] to steal personal credentials. After obtaining such data, the hackers launch their ransomware as a psexec.exe file and initiate the attack of the ransomware. 

Therefore, to avoid ransomware attack, you have to:

  • Be careful with received emails and do not rush opening any attached files;
  • Install all software and OS updates to avoid exploitation of vulnerabilities;
  • Download updates and security patches from the official websites.

Learn how uninstall SamSam ransomware virus from the system

It is evident that the attackers try their best to create an infection which is persistent. Therefore, SamSam ransomware removal process is not an easy task. Although, professional security tools can significantly help with the elimination of this cyber threat.

We suggest eliminating the virus with one of these programs Reimage, Malwarebytes or Plumbytes Anti-MalwareNorton Internet Security. Security programs cannot only delete all ransomware-related files but keep your computer protected from cyber threats in the future. 

For it to maintain its functionalities flawlessly, you need to update the software daily. If you cannot remove SamSam virus because of the inability to launch the security program or access other important OS programs, take a look at the recovery guidelines below.

You should also create a safe environment on your computer before initiating Samsam removal. To help you protect your registry entries and similar components, we prepared a video guide to show you how it is done:

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software you agree to our privacy policy and agreement of use.
do it now!
Reimage (remover) Happiness
Reimage (remover) Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.

If you decided to select another anti-spyware, uninstall Reimage from your computer.
Press mentions on Reimage
Alternate Software
Alternate Software

To remove SamSam virus, follow these steps:

Remove SamSam using Safe Mode with Networking

In some cases, ransomware prevents users from accessing or running security programs. Thus, you have to reboot your computer to the Safe Mode with Networking as shown below to start its removal. Then repeat system scan.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove SamSam

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete SamSam removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove SamSam using System Restore

System Restore method can also help you disable the virus in order to run automatic ransomware removal. For that, use the following steps:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of SamSam. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that SamSam removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove SamSam from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by SamSam ransomware, you can try decrypting them only after you remove the ransomware. For that, make sure you choose one of the following methods:

If your files are encrypted by SamSam, you can use several methods to restore them:

Recover your files encrypted by SamSam virus with the help of Data Recovery Pro

If you are infected with SamSam virus, you can try using Data Recovery Pro to recover your encrypted files. This application is widely known for helping people revive their accidentally deleted files and similar data.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by SamSam ransomware;
  • Restore them.

Use Windows Previous Versions feature to recover separate files encrypted by SamSam ransomware

If you have files that are very important to you, you can try recovering them with the help of Windows Previous Versions feature. However, to use it, you need to make sure that System Restore function was enabled before the appearance of SamSam.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

SamSam decrypter

At the moment, there is a SamSam decrypter available on the Internet, however, since Google SafeBrowsing considers it dangerous, we cannot share a link to it here. We will update the article as soon as a 100% safe and official decrypter appears. Be patient!

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions


Removal guides in other languages