“000-PLEASE-READ-WE-HELP.html” is the file used by the new Samas/SamSam ransomware which encrypts files possibly via the RSA encryption algorithm, adding .VforVendetta file extension after encryption. The virus also opens this .HTML file which contains a ransom note that has instructions on how to pay the ransom to cyber-criminals in BTC. In the event that you have been affected by this ransomware, we urge you to not conduct any ransom payoff and focus on restoring the encrypted files yourself and remove SamSam from your computer which you will learn how to do if you read this article thoroughly.
|Short Description||The ransomware encrypts files with RSA encryption cipher and asks a ransom payment of BTC for decryption.|
|Symptoms||Files are encrypted with RSA encryption and become inaccessible with an added .VforVendetta file extension to them. A ransom note with instructions for paying the ransom shows as 000-PLEASE-READ-WE-HELP.html file.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by SamSam |
Malware Removal Tool
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
SamSam .VforVendetta Virus – How Did I Get Infected
The SamSam Malware may employ various tactics to infect user. One of them is a an infection sent from a remote server. Some cyber-criminals test the defenses of systems they are about to infect, also known as pen-testing. This type of software provides the opportunity to cause a successful infection from a distance and give them the ability to conceal the malicious files properly from any security software.
More Information about SamSam Ransomware
In proximity to the previous SamSam viruses, this virus may also have activities copied from it’s code. One of these tools which is reported to have associations with SamSam ransomware and may be used in the .VforVendetta variant Is known as PSExec. This tool is a file that has been created to start programs from a remote locations on the computers it infects.
In addition to this, SamSam may use a Trojan horse related to it which was also detected by malware researchers as the Samas trojan.
After infection, the main executable of this ransomware is dropped on the infected computer may include scripts that delete the shadow copies of the infected machine via command prompt in quiet mode:
The purpose of this command is to rid the user of any backups and other file history of the infected device.
The Encryption Process of SamSa
Once SamSam has attacked a certain computer and has deleted the backups, it may initiate it’s encryption procedure. It may attack important files for the user, like files of the following types:
→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com
When it has detected files of such extension, the virus may scramble bytes of those files which are enough to make them no longer able to be opened. The encryption algorithm RSA-2048 may be used by this version of SamSam which is a sophisticated cipher, used by the DoD for secret data.
Files, encoded by this SamSam malware variant have the .VforVendetta extension and look like the following:
After encryption the virus also drops a readme file that has the 000-PLEASE-READ-WE-HELP.html name and it aims to provide instructions to the victims of the virus, regarding conducting online payments.
Remove SamSam Ransomware and Try to Restore .VforVendetta Files
In order to try and fix the mess caused by SamSam on your computer, advices are to focus on removing the virus using the instructions below. In case you feel unsure using manual removal instructions, it is advisable to remove SamSam ransomware automatically using an advanced anti-malware program, which will make sure that the virus is completely uninstalled from your computer.
After having removed SamSam ransomware, advices are to focus on trying alternative methods to restore the encrypted files, but only after you back them up. We have suggested several alternative tools to help you try and recover files encrypted by SamSam at least partially until a decryptor is released.