.encryptedRSA Files Virus (SamSam) – How to Remove + Restore Data

.encryptedRSA Files Virus (SamSam) – How to Remove + Restore Data

This article has been created in order to explain what is SamSam ransomware’s latest variant, how does it work and how to remove it plus restore files with the .encryptedRSA file suffix added to them.

SamSam ransomware has been updated once again, this time with a new feature that allows it to be triggered manually after infecting a computer. The SamSam ransomware infection is also the type of malware that aims to encrypt the files on servers and computers and then extort the victims of the virus to pay ransom to get teir backups, databases and documents to work again. If your organization or computer have been infected by the .encryptedRSA string of SamSam ransomware virus, we recommend that you read this article to learn more about this iteration of SamSam and what options do you have to restore your files after removing the malware.

Threat Summary

Name.encryptedRSA Ransomware
TypeRansomware, Cryptovirus
Short DescriptionNew variant of SamSam ransomware. Encrypts files on the victim’s computer after infecting it and holds them hostage until victims pay ransom.
SymptomsFiles are encrypted with RSA encryption mode and the extension .encryptedRSA is added to them.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .encryptedRSA Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .encryptedRSA Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

SamSam Ransomware – Propagation

Typical for SamSam ransomware is to spread on both private computers as well as businesses. This means that the ransomware virus may infect targeted servers and computers of organizations networks and also private systems via a wide variety of infections methods. If the .encryptedRSA variant of SamSam has infected an organization, it is very likely that the crooks may have sent e-mails to the organization which contain the infection file, masked as an e-mail attachment. This takes some reconnaissance to do, since the crooks may send the e-mails from a fake address which may imitate an actual employee of the organization, increasing the credibility of the message and attachment. The attachments may be all sorts of documents, like:

  • Reports.
  • Statements.
  • Invoices.
  • Security activity.
  • Letter of resignation.
  • Other made up documents.

But in reality, the malicious files of this infection slither unnoticed as a result of various different types of obfuscation software, aimed at concealing them from any protection software and exploit kits which take advantage of unpatched bugs in the networks.

In addition to this, this iteration of SamSam ransomware may also hide behind a seemingly legitimate programs, uploaded on shady website, that may pretend to be setups, portable software, or license activators of some sort (cracks, patches, etc.).

But the biggest attacks of SamSam generated a lot of media fuzz as well. The malware itself reportedly made about $850,000 only for one week and after the virus infected and crippled Atlanta City, the ammount of the ransom itself was $51,000 – pretty serious malware.

So far, the attacks on government facilities in the US to which SamSam ransomware propagated and held hostage were reoported to be:

  • Department of Transportation (Colorado)
  • The Kentucky Hospital.
  • Valley State University of Mississipi.
  • Adams Memorial Hospital in Indiana.
  • Farmington Municipality, New Mexico.
  • Allscrips E.H.R. provider.
  • Unknown Indistrial company in the United States.

And the ransomware may hit anywhere, anytime.

SamSam .encryptedRSA Variant – Analysis of Activity

According to technical analysis performed by Ravikant Tiwari, the .encryptedRSA SamSam ransomware variant performs series of known, but also new activities in comparison to it’s older variants and features a stronger file encryption.

The two main infection files of the malware are reported by Tiwari to be:

  • Loader of the malware.
  • The actual ransomware file of .encryptedRSA SamSam.

The primary ransomware file of SamSam has been reported to carry the .stubbin file extension. The file extension is not a recognized file and it’s main purpose is to be dropped undetected as malware. So we have a new and unique method of infection and obfuscation in the same time, because the unfamiliar file suffix also means that it will likely avoid most real-time protection shields of traditional Antivirus protection.

But the most interesting part of this is that the ransomware may infect a computer, but when this happens, SamSam is not activated and waits patiently for the hackers behind the malware to activate it. This is because the .stubbin file is the actual ransomware in an encrypted forma, more specifically encrypted via the AES encryption algorithm, making it somewhat a “beast in a cage”. Once the threat actor decrypts the AES encrypted .stubbin file, the ransomware calls a Load function which loads a .NET file with a received parameter. This basically is the hacker, decrypting the .stubbin file and then executing it on the infected computer via a BATCH type of file (the password). And what is worse is that according to researchers, this password is manually typed by the hackers to trigger the ransomware. Once there, it starts to perform it’s malicious activity among which is to display the ransom note file, which looks like the following:

In the ransom note, the virus wants victims to visit their TOR-based web page, where the victims can contact the cyber-criminals and negotiate their payment.

.encryptedRSA SamSam Virus – Encryption Analysis

Before starting the encryption process, the SamSam .encryptedRSA variant carefully checks the available disk space on the machine it will encrypt. Then, it begins the file encryption process by scanning from the following pre-set list of file extensions to encrypt:

→ “.jin”, “.xls”, “.xlsx”, “.pdf”, “.doc”, “.docx”, “.ppt”, “.pptx”, “.log”, “.txt”, “.gif”, “.png”, “.conf”, “.data”, “.dat”, “.dwg”, “.asp”, “.aspx”, “.html”, “.htm”, “.php”, “.jpg”, “.jsp”, “.js”, “.cnf”, “.cs”, “.vb”, “.vbs”, “.mdb”, “.mdf”, “.bak”, “.bkf”, “.java”, “.jar”, “.war”, “.pem”, “.pfx”, “.rtf”, “.pst”, “.dbx”, “.mp3”, “.mp4”, “.mpg”, “.bin”, “.nvram”, “.vmdk”, “.vmsd”, “.vmx”, “.vmxf”, “.vmsn”, “.vmem”, “.gz”, “.3dm”, “.3ds”, “.zip”, “.rar”, “.3fr”, “.3g2”, “.3gp”, “.3pr”, “.7z”, “.ab4”, “.accdb”, “.accde”, “.accdr”, “.accdt”, “.ach”, “.acr”, “.act”, “.adb”, “.ads”, “.agdl”, “.ai”, “.ait”, “.al”, “.apj”, “.arw”, “.asf”, “.asm”, “.asx”, “.avi”, “.awg”, “.back”, “.backup”, “.backupdb”, “.pbl”, “.bank”, “.bay”, “.bdb”, “.bgt”, “.bik”, “.bkp”, “.blend”, “.bpw”, “.c”, “.cdf”, “.cab”, “.chm”, “.cdr”, “.cdr3”, “.cdr4”, “.cdr5”, “.cdr6”, “.cdrw”, “.cdx”, “.ce1”, “.ce2”, “.cer”, “.cfp”, “.cgm”, “.cib”, “.class”, “.cls”, “.cmt”, “.cpi”, “.cpp”, “.cr2”, “.craw”, “.crt”, “.crw”, “.csh”, “.csl”, “.csv”, “.dac”, “.db”, “.db3”, “.dbf”, “.db-journal”, “.dc2”, “.dcr”, “.dcs”, “.ddd”, “.ddoc”, “.ddrw”, “.dds”, “.der”, “.des”, “.design”, “.dgc”, “.djvu”, “.dng”, “.dot”, “.docm”, “.dotm”, “.dotx”, “.drf”, “.drw”, “.dtd”, “.dxb”, “.dxf”, “.jse”, “.dxg”, “.eml”, “.eps”, “.erbsql”, “.erf”, “.exf”, “.fdb”, “.ffd”, “.fff”, “.fh”, “.fmb”, “.fhd”, “.fla”, “.flac”, “.flv”, “.fpx”, “.fxg”, “.gray”, “.grey”, “.gry”, “.h”, “.hbk”, “.hpp”, “.ibank”, “.ibd”, “.ibz”, “.idx”, “.iif”, “.iiq”, “.tib”, “.incpas”, “.indd”, “.jpe”, “.jpeg”, “.kc2”, “.kdbx”, “.kdc”, “.key”, “.kpdx”, “.lua”, “.m”, “.m4v”, “.max”, “.mdc”, “.mef”, “.mfw”, “.mmw”, “.moneywell”, “.mos”, “.mov”, “.mrw”, “.msg”, “.myd”, “.nd”, “.ndd”, “.nef”, “.nk2”, “.nop”, “.nrw”, “.ns2”, “.ns3”, “.ns4”, “.nsd”, “.nsf”, “.nsg”, “.nsh”, “.nwb”, “.nx2”, “.nxl”, “.nyf”, “.oab”, “.obj”, “.odb”, “.odc”, “.odf”, “.odg”, “.odm”, “.odp”, “.ods”, “.odt”, “.oil”, “.orf”, “.ost”, “.otg”, “.oth”, “.otp”, “.ots”, “.ott”, “.p12”, “.p7b”, “.p7c”, “.pab”, “.pages”, “.pas”, “.pat”, “.pcd”, “.pct”, “.pdb”, “.pdd”, “.pef”, “.pl”, “.plc”, “.pot”, “.potm”, “.potx”, “.ppam”, “.pps”, “.ppsm”, “.ppsx”, “.pptm”, “.prf”, “.ps”, “.psafe3”, “.psd”, “.pspimage”, “.ptx”, “.py”, “.qba”, “.qbb”, “.qbm”, “.qbr”, “.qbw”, “.qbx”, “.qby”, “.r3d”, “.raf”, “.rat”, “.raw”, “.rdb”, “.rm”, “.rw2”, “.rwl”, “.rwz”, “.s3db”, “.sas7bdat”, “.say”, “.sd0”, “.sda”, “.sdf”, “.sldm”, “.sldx”, “.sql”, “.sqlite”, “.sqlite3”, “.sqlitedb”, “.sr2”, “.srf”, “.srt”, “.srw”, “.st4”, “.st5”, “.st6”, “.st7”, “.st8”, “.std”, “.sti”, “.stw”, “.stx”, “.svg”, “.swf”, “.sxc”, “.sxd”, “.sxg”, “.sxi”, “.sxi”, “.sxm”, “.sxw”, “.tex”, “.tga”, “.thm”, “.tlg”, “.vob”, “.wallet”, “.wav”, “.wb2”, “.wmv”, “.wpd”, “.wps”, “.x11”, “.x3f”, “.xis”, “.xla”, “.xlam”, “.xlk”, “.xlm”, “.xlr”, “.xlsb”, “.xlsm”, “.xlt”, “.xltm”, “.xltx”, “.xlw”, “.ycbcra”, “.yuv”

The encryption process consists of reading the file in segments of 10240 bytes and encrypting the content of the file, after which copying the encrypted version of the file to a new and renamed file, containing the .encryptedRSA file extension. The original files are then deleted and the copied encrypted files appear like the following:

What is interesting here is that the newer version of SamSam does not forget to encrypt any Backup files as well.

Remove SamSam Ransomware and Restore .encryptedRSA Files

In order to to remove this ransomware infection fully from your computer system, we recommend that you follow the removal instructions underneath this article. They have been created in order to help you to remove this threat either manually or automatically from your computer. If manual removal does not seem to work, it is reccomended to remvoe this infection automatically by using an advanced anti-malware software. Such tool will fully erase any traces of SamSam from your computer and will protect it against any infections that might occur in the future as well.

In addition to this, if you want to restore files that have been encrypted with the .encryptedRSA file extension by SamSam, you can try using the alternative methods for file recovery underneath in step “2. Restore files, encrypted by .encryptedRSA Ransomware” underneath. They aim to help you recover as many encrypted files as possible even though they are not 100% guarantee to be able to recover all the data.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share