Remove Samas DR Ransomware and Restore .iloveworld Files - How to, Technology and PC Security Forum |

Remove Samas DR Ransomware and Restore .iloveworld Files

samas-ransomware-dr-variant-sensorstechforum-comNew variant of the Samas ransomware has been reported to demand the sum of 1.7 bitcoins after it uses RSA encryption to encipher files of infected computers, adding the .iloveworld file extension to them. The ransomware then drops a PLEASE_READ_FOR_DECRYPT_FILES_{number}.html file which contains a long ransom note with instructions on how to pay 1.7 BTC to the cyber-criminals behind the virus. In case you have been infected by this virus, it is strongly inadvisable to conduct any ransom payoff since this may help cyber-criminals further replicate Samas ransomware. Instead we recommend following the instructions after this article to remove this virus and try to restore your files.

Threat Summary

Short DescriptionThe ransomware encrypts files with RSA encryption cipher and asks a ransom payment of 1.7 BTC for decryption.
SymptomsFiles are encrypted with RSA-2048 bit encryption and become inaccessible with an added .iloveworld file extension to them. A ransom note with instructions for paying the ransom shows as PLEASE_READ_FOR_DECRYPT_FILES_{number}.html file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Samas


Malware Removal Tool

User ExperienceJoin our forum to Discuss Samas Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Samas Ransomware’s Distribution Technique

The Samas virus may use different techniques to be spread. It may use pen testing deployment sent out from a remote server to cause infection. Such software gives an opportunity for cyber-crooks to discover vulnerabilities and select the correct exploit kit or obfuscator that will allow a successful infection.

Samas Ransomware – More Information

Similar to the previous variant of Samas ransomware virus, this one may also take advantage of activities which it has copied from a variety of other viruses in its code. One particular tool that has been reportedly associated with Samas ransomware is called PsExec, and it’s primary file is pre-programmed to remotely execute programs on the infected computer.

Not only this, but the Samas virus may also use other features from a Trojan horse, also known and detected as Samas, which was most likely created by the same developers.

The main executable of Samas ransomware is reported to be named gotohelldr.exe and it may include scripts such as the one that deletes the shadow copies on the infected computer with the following vssadmin command in quiet mode:

vssadmin delete shadows /for={DrivePartition} [/oldest | /all | /shadow={Identification of the shadow copies}] [/quiet]

Such commands might be used by the Samas virus to get rid of all the backups and file history on the affected device.

In addition to this, the virus may also download other malware on the infected computer, such as an MSIL trojan and other ransomware as well.

Samas Virus’s Encryption Process

To encrypt files the Samas ransomware may scan your computer for a wide variety of file types, for example:


As soon as it detects the files it is pre-programmed to encrypt, the virus scrambles portions of their source code which are enough to render the files unusable. The portions of code are replaced with a very sophisticated RSA-2048 encryption algorithm, which is also reported to be classified as a Suite.B cipher used by the DoD for secret files.

Encrypted files by this variant of Samas contain the .iloveworld file extension after their names and may look like the picture below:


In addition to the encryption process, the Samas virus also drops a ransom note in the form of a .html file. The note is named PLEASE_READ_FOR_DECRYPT_FILES_{victimID} and has notification and instructions:

#What happened to your files?
“All your files encrypted with RSA-2048 encryption, For more information search in Google “RSA Encryption.”
#How to recover files?
RSA is an asymmetric cryptographic algorithm; You need one key for encryption and one key for decryption.
So you need Private key to recover your files.
It’s not possible to recover your files without private key
#How to get private key?
You can get your private key in 3 easy step:
Step1: You must send us 1.7 BitCoin for each affected PC OR 29 BitCoins to receive ALL Private Keys for ALL affected PCs.
Step2: After you send us 1.7 BitCoin, Leave a comment on our Site with this detail: Just write Your “Host name” in your comment.
*Your Host name is: WIN-{Unique identification}
Step3: We will reply to your comment with a decryption software. You should run it on your affected PC, and all encrypted files will be recovered.
*Our Site Address: http://5hvtr4qvmq76zyfq.onion/alpinism/
*Our BitCoin Address:1Ha4Y7QegJL2t577XK6inSUdCYAKKQC99sG
(If you send us 29 BitCoins For all PC’s, Leave a comment on our site with this detail: Just write “For All Affected PC’s” in your comment)
(Also if you want to pay for “all affected PC’s” You can pay 14 Bitcoins to receive half of keys(randomly) and after you verify it send 2nd half
How To Access To Our Site
For access to our site you must install Tor browser and enter our site URL in your tor browser.
You can download tor browser from
For more information, please search in Google “How to access onion sites”
# Test Decryption #
Check our site, You can upload two encrypted files, and we will decrypt your files as demo.
#Where to buy Bitcoin
We advice you to buy Bitcoin with Cash Deposit or WesternUnion From or
Because they don’t need any verification and send your Bitcoin quickly.
You just have 7 days to send us the BitCoin after 7 days we will remove your private keys and it’s impossible to recover your files”

Samas Ransomware – Removal and Restoration of .iloveworld Files

Since Samas is also believed by malware researchers to be a part of a RaaS scheme (ransomware as a service) and it may come in different variants with the same source code, malware researchers strongly advise for affected users to wait for a decrypter.

Samas Ransomware should be removed manually by following the instructions after this article. In case you do not feel sure that you will fully remove it manually, malware researchers strongly advise using an advanced anti-malware program that will delete all files associated with Samas automatically.

In case your files have the .iloveworld file extension, this means they are encrypted. At this point, there is no official decryption solution for free. However, it is strongly inadvisable to pay the 1.7 BitCoin ransom money to criminals. Besides this, we have also offered alternative solutions to decrypt your files in case they have been encrypted by this virus. They are not 100% guarantee you will decrypt your files, but if you are in luck, you may restore some of your files this way. The instructions may be found in step “2. Restore files encrypted by Samas” below.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share