Samsam Ransomware [Updated]

Also Known As: Samsam virus
Distribution: Low
Damage level: Severe

Samsam ransomware removal instructions

What is Samsam?

Samsam is high-risk ransomware designed to infect unpatched servers and encrypt files stored on computers networked to the infected server. This ransomware is distributed manually. Samsam appends the name of each encrypted file with one of the following extensions: .weapologize, .areyoulovemyrans, .loveransisgood, .myransext2017, .disposed2017, .prosperous666, .supported2017, .country82000, .moments2900, .breeding123, .mention9823, .suppose666, .skjdthghh, .cifgksaffsfyghd, .iaufkakfhsaraf, .filegofprencrp, .weencedufiles, .encryptedyourfiles, .letmetrydecfiles, .otherinformation, .weareyourfriends, .noproblemwedecfiles, .powerfulldecrypt, .wowreadfordecryp, .wowwhereismyfiles, .helpmeencedfiles, .theworldisyours, .vekanhelpu, .howcanihelpusir, .VforVendetta, .checkdiskenced, .encmywork, .notfoundrans, .goforhelp, .iloveworld, .canihelpyou, .only-we_can-help_you, .encryptedAES, .encryptedRSA, .encedRSA, .justbtcwillhelpyou, .btcbtcbtc, or .btc-help-you - this depends on the version of ransomware. Samsam employs the RSA-2048 asymmetric encryption algorithm and, therefore, two keys (public and private) are generated during encryption -  public to encrypt, private to decrypt. Cyber criminals demand a ransom payment in exchange for the private key. Restoring files without this key is impossible. After encrypting the files, Samsam automatically uninstalls from the victim's PC.

Cyber criminals employ various tools (for example, Jaxboss) to identify servers that use Red Hat's JBoss enterprise products. As well as encrypting files, Samsam gathers detailed information about the networked PCs. During encryption, Samsam creates a ransom-demand HTML file named 'HELP_DECRYPT_YOUR_FILES.HTML', '001-HELP_FOR_DECRYPT_FILE.html', '0009-SORRY-FOR-FILES.html' or '006-READ-FOR-HELLPP.html' and places it on the desktop. Newer variants of this ransomware create a PLEASE_READ_FOR_DECRYPT_FILES_[Number].html file. This file contains a message stating that files on networked computers have been encrypted and that victims must pay a ransom of 1 Bitcoin per infected PC. The file provides step-by-step payment instructions. Therefore, we strongly advise you to disconnect the infected server from the network upon discovery of this ransomware. In this way, you will be able to prevent further infections. Currently, one Bitcoin is equivalent to $446.9 and, thus, paying the ransom for a large computer network may total thousands of dollars. Unfortunately, there are no tools presently capable of restoring files encrypted by Samsam - the private key is stored on remote servers controlled by cyber criminals and decryption without it is impossible. Therefore, the only solution to this problem is to restore your files from a backup.

Screenshot of a message encouraging users to contact the developers of Samsam ransomware to decrypt their compromised data:

samsam ransomware main

Although most ransomware is not distributed manually (it usually infiltrates systems via fake software updates, infectious email attachments, malicious files distributed through P2P [peer-to-peer] networks [such as Torrent], and/or trojans), Samsam shares many similarities with CryptoWall, CTB-Locker, Locker, and dozens of other ransomware-type viruses. All encrypt victims' files and make ransom demands. The only differences are size of ransom and type of encryption algorithm used. Note that files will most probably remain encrypted even after paying the ransom. Therefore, you should never attempt to contact cyber criminals or pay any ransom. To prevent this situation, you should keep your installed software up-to-date. In addition, be careful when opening attachments sent from unrecognized email addresses and downloading files/software from third party sources. Using a legitimate anti-virus or anti-spyware suite is also paramount.

Screenshot of a Tor website used to communicate with samsam ransomware victims:

samsam ransomware Tor website

Samsam ransom demand message (HELP_DECRYPT_YOUR_FILES.HTML):

Samsam ransom demanding message

Ransom demand message presented in HELP_DECRYPT_YOUR_FILES.HTML file:

#What happened to your files?
All of your important files were encrypted with RSA-2048, RSA-2048 is a powerful cryptography algorithm. For more information you can use Wikipedia.
Attention. Don’t rename or edit encrypted files because it will be impossible to decrypt your files.
#How to recover files?
RSA is a asymmetric cryptography algorithm, You need two key
1-Public key: you need it from encryption
2-Private key: you need it for decryption
So you need Private key to recover your files. It’s not possible to recover your files without private key.
#How to get private key?
You can receive your Private Key in 3 easy steps:
Step1: You must send us One Bitcoin for each affected PC to receive Private Key.
Step 2: After you send us one Bitcoin, Leave a comment on our blog with these detail: Your Bitcoin transaction reference + Your computer name.
#What is Bitcoin?
Bitcoin is an innovative payment network and a new kind of money. You can create a Bitcoin account at hxxp:// and deposit money into your account and then send us.
#How to buy Bitcoin?
There are many way ti buy Bitcoin and deposit it into your account, You can buy it with WesternUnion, Bank Wire, International Bank transfer, Cash deposit and etc. If you want to pay with your Bussiness bank account you should create a business account in exchangers they don’t accept payment from third party.
#How to find the Bitcoin transaction reference?
Login into your blockchain account -> go to “My transactions” tab -> Click on your transaction -> In “Transaction Summary” page, You will find a “hash” with 64 characters long. Send us this hash with your comment on our blog + you computer name.

Data types targeted by Samsam ransomware:

.jin, .xls, .xlsx, .pdf, .doc, .docx, .ppt, .pptx, .txt, .dwg, .bak, .bkf, .pst, .dbx, .zip, .rar, .mdb, .asp, .aspx, .html, .htm, .dbf, .3dm, .3ds, .3fr, .jar, .3g2, .xml, .png, .tif, .3gp, .java, .jpe, .jpeg, .jpg, .jsp, .php, .3pr, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .kbx, .acr, .act, .adb, .ads, .agdl, .ai, .ait, .al, .apj, .arw, .asf, .asm, .asx, .avi, .awg, .back, .backup, .backupdb, .pbl, .bank, .bay, .bdb, .bgt, .bik, .bkp, .blend, .bpw, .c, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .phtml, .php5, .cs, .csh, .csl, .tib, .csv, .dac, .db, .db3, .db .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .dot, .docm, .dotm, .dotx, .drf, .drw, .dtd, .dxb, .dx f, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fmb, .fhd, .fla, .flac, .flv, .fpx, .fxg, .gray, .grey, .gry, .h, .hbk, .hpp, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m, .m4v, .max, .mdc, .mdf, .mef, .mfw, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .nd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .or f, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pef, .pem, .pfx, .pl, .plc, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .pptm, .prf, .ps, .psafe3, .psd, .pspimage, .ptx, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rat, .raw, .rdb, .rm, .rtf, .rw2, .rwl, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tlg, .vob, .war, .wallet, .wav, .wb2, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xlsb, .xlsm, .xlt, .xltm, .xltx, .xlw, .ycbcra, .yuv

Samsam ransomware removal:

Instant automatic removal of Samsam virus: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of Samsam virus. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the Samsam virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the Samsam ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining Samsam ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of Samsam are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by Samsam, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encrypting ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as Samsam ransomware.)

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove Samsam ransomware:

About the author:

Tomas Meskauskas

Tomas Meskauskas - expert security researcher, professional malware analyst.

I am passionate about computer security and technology. I have an experience of over 10 years working in various companies related to computer technical issue solving and Internet security. I have been working as an author and editor for since 2010. Follow me on Twitter and LinkedIn to stay informed about the latest online security threats. Contact Tomas Meskauskas.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

Removal Instructions in other languages
Malware activity

Global virus and spyware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

QR Code
Samsam virus QR code
A QR code (Quick Response Code) is a machine-readable code which stores URLs and other information. This code can be read using a camera on a smartphone or a tablet. Scan this QR code to have an easy access removal guide of Samsam virus on your mobile device.
We Recommend:

Get rid of Samsam virus today:

▼ REMOVE IT NOW with Spyhunter

Platform: Windows

Editors' Rating for Spyhunter:
Editors ratingOutstanding!

[Back to Top]

Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.