New SamSam Ransomware – Remove and Restore .VforVendetta Files - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

New SamSam Ransomware – Remove and Restore .VforVendetta Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by SamSam and other threats.
Threats such as SamSam may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

“000-PLEASE-READ-WE-HELP.html” is the file used by the new Samas/SamSam ransomware which encrypts files possibly via the RSA encryption algorithm, adding .VforVendetta file extension after encryption. The virus also opens this .HTML file which contains a ransom note that has instructions on how to pay the ransom to cyber-criminals in BTC. In the event that you have been affected by this ransomware, we urge you to not conduct any ransom payoff and focus on restoring the encrypted files yourself and remove SamSam from your computer which you will learn how to do if you read this article thoroughly.

Threat Summary

NameSamSam
TypeRansomware
Short DescriptionThe ransomware encrypts files with RSA encryption cipher and asks a ransom payment of BTC for decryption.
SymptomsFiles are encrypted with RSA encryption and become inaccessible with an added .VforVendetta file extension to them. A ransom note with instructions for paying the ransom shows as 000-PLEASE-READ-WE-HELP.html file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by SamSam

Download

Malware Removal Tool

Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

SamSam .VforVendetta Virus – How Did I Get Infected

The SamSam Malware may employ various tactics to infect user. One of them is a an infection sent from a remote server. Some cyber-criminals test the defenses of systems they are about to infect, also known as pen-testing. This type of software provides the opportunity to cause a successful infection from a distance and give them the ability to conceal the malicious files properly from any security software.

More Information about SamSam Ransomware

In proximity to the previous SamSam viruses, this virus may also have activities copied from it’s code. One of these tools which is reported to have associations with SamSam ransomware and may be used in the .VforVendetta variant Is known as PSExec. This tool is a file that has been created to start programs from a remote locations on the computers it infects.

In addition to this, SamSam may use a Trojan horse related to it which was also detected by malware researchers as the Samas trojan.

After infection, the main executable of this ransomware is dropped on the infected computer may include scripts that delete the shadow copies of the infected machine via command prompt in quiet mode:

vssadmin delete shadows /for={DrivePartition} [/oldest | /all | /shadow={Identification of the shadow copies}] [/quiet]

The purpose of this command is to rid the user of any backups and other file history of the infected device.

The Encryption Process of SamSa

Once SamSam has attacked a certain computer and has deleted the backups, it may initiate it’s encryption procedure. It may attack important files for the user, like files of the following types:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com

When it has detected files of such extension, the virus may scramble bytes of those files which are enough to make them no longer able to be opened. The encryption algorithm RSA-2048 may be used by this version of SamSam which is a sophisticated cipher, used by the DoD for secret data.

Files, encoded by this SamSam malware variant have the .VforVendetta extension and look like the following:

After encryption the virus also drops a readme file that has the 000-PLEASE-READ-WE-HELP.html name and it aims to provide instructions to the victims of the virus, regarding conducting online payments.

Remove SamSam Ransomware and Try to Restore .VforVendetta Files

In order to try and fix the mess caused by SamSam on your computer, advices are to focus on removing the virus using the instructions below. In case you feel unsure using manual removal instructions, it is advisable to remove SamSam ransomware automatically using an advanced anti-malware program, which will make sure that the virus is completely uninstalled from your computer.

After having removed SamSam ransomware, advices are to focus on trying alternative methods to restore the encrypted files, but only after you back them up. We have suggested several alternative tools to help you try and recover files encrypted by SamSam at least partially until a decryptor is released.

Note! Your computer system may be affected by SamSam and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as SamSam.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove SamSam follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove SamSam files and objects
2. Find files created by SamSam on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by SamSam

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...