What is SamSam ransomware? And how does it carry out its attack?
SamSam ransomware is a malicious program designed to encrypt files to leave them inaccessible to its victims. This ransomware infection has been targeting several high-profile institutions such as hospitals, a city council as well as an ICS firm. There were attacks reported that includes ones against the Adams Memorial Hospital in Decatur; Hancock Health Hospital in Greenfield, Indiana; municipality of Farmington, New Mexico; Allscripts – a cloud-based Electronic Health Records (EHR) provider; as well as an unnamed Industrial Control System (ICS) company in the US.
SamSam ransomware is being distributed using corrupted servers that are then used to compromise other computers in a network. This means that this ransomware uses different attack vector compared to a typical ransomware threat. Once it is able to infiltrate a system, it will begin to carry out its attack by scanning the computer for various file extensions such as:
.3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ai, .ait, .al, .apj, .arw, .asf, .asm, .asp, .aspx, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkf, .bkp, .blend, .bpw, .c, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csv, .dac, .db, .db-journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flv, .fmb, .fpx, .fxg, .gray, .grey, .gry, .h, .hbk, .hpp, .htm, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .jar, .java, .jin, .jpe, .jpeg, .jpg, .jsp, .kbx, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mfw, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .nd, .ndd, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbl, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .php5, .phtml, .pl, .plc, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar,, .rat, .raw, .rdb, .rm, .rtf, .rw2, .rwl, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, .sql, .sqlite, .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tib, .tif, .tlg, .txt, .vob, .wallet, .war, .wav, .wb2, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra, .yuv, .zip.
After it locates all its targeted files, which are quite many, it will encrypt them using Rijndael and then encrypts the key using the RSA 2048 cipher, making it impossible for its victims to recover the encrypted files. Following data encryption, depending on which SamSam variant infected the system, it will drop any of these ransom notes – 0009-SORRY-FOR-FILES.html, IF_WANT_FILES_BACK_PLS_READ.html, 000-PLEASE-READ-WE-HELP.html, 000-No-PROBLEM-WE-DEC-FILES.html, READ-FOR-DECCCC-FILESSS.html, HELP_DECRYPT_YOUR_FILES.HTML, 001-HELP_FOR_DECRYPT_FILE.html, 006-READ-FOR-HELLPP.html, PLEASE_READ_FOR_DECRYPT_FILES_[Number].html or PLEASE-README -AFFECTED-FILES.html – which contains the same ransom message that states:
“#What happened to your files?
All your files encrypted with RSA-2048 encryption. For more information search in Google “RSA Encryption.”
#How to recover files?
RSA is an asymmetric cryptographic algorithm, You need one key for encryption and one key for decryption
So you need a Private key to recover your files.
It’s not possible to recover your files without private key
#How to get private key?
You can get your private key in 3 easy step:
Step1: You must send us 1,7 Bitcoin for each affected PC or 29 BitCoins to receive ALL Private Keys for ALL affected PCs.
Step 2: After you send us 1,7 Bitcoin, Leave a comment on our Site with this detail: Just write your “host name” in your comment.
* Your host name is: XXXXXXXXXXXX
[…]”
How does SamSam ransomware spread its malicious payload?
According to researchers, JexBoss is being used to spread the SamSam ransomware. JexBoss is an open source tool used to test the JBoss application servers – with this tool, third parties can get a hold of a network and start spreading SamSam ransomware. Because of this, SamSam ransomware can be spread through too many computer systems.
Use the following removal guide to eliminate SamSam ransomware from your system.
Step 1: Restart your PC into Safe Mode with Networking.
Step 2: Once your computer is done rebooting, tap Ctrl + Shift + Esc to pull up Windows Task Manager and look for SamSam ransomware’s malicious process and end it.
Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for SamSam ransomware or any suspicious program and then Uninstall it/them.
Step 5: Tap Win + E keys to launch File Explorer.
Step 6: Navigate to the following locations below and look for SamSam ransomware’s malicious components and get rid of them.
- %TEMP%
- %APPDATA%
- %USERPROFILE%\Desktop
- %USERPROFILE%\Downloads
- %ALLUSERPROFILE%\Start Menu\Programs
- %APPDATA%\Microsoft\Windows\Start Menu\Programs
- %USERPROFILE%\Microsoft\Windows\Start Menu\Programs
- %ALLUSERPROFILE%\Microsoft\Windows\Start Menu\Programs
- %ALLUSERPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs
Step 7: Close the File Explorer. Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the following path:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKCU\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run
- HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\
- HKLM\SOFTWARE\Microsoft\Tracing\
Step 10: Delete the registry keys as well as sub-keys created by SamSam ransomware.
Step 11: Close the Registry Editor and empty your Recycle Bin.
To make sure that nothing is left behind and that the SamSam is completely removed, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.