Remove Samas Ransomware and Restore Encrypted.RSA Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove Samas Ransomware and Restore Encrypted.RSA Files

An unusual strain of ransomware has been reported to hit various institutions via Java exploits, experts say. One of those institutions is MedStar Health, and the hospital suffered immense losses after the ransomware struck. This was due to the abilities of Samas crypto-malware to encrypt the data with a strong encryption algorithm after which demand payment for decryption via a unique key.

NameSamas
TypeRansomware.
Short DescriptionInfects the computer using a combination of different malware, encrypts the data and asks for 1 BTC ransom money.
SymptomsThe user may witness an html file on each folder where files are encrypted with the ransom message and the files are unable to be opened and have encrypted.RSA file extension appended.
Distribution MethodVia malicious URLs or malicious files.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Samas
User Experience Join our forum to discuss Samas.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Samas Ransomware – How Does It Infect

Unlike other ransom malware, Samas uses unusual encryption techniques. It is particularly sophisticated because it employs a so-called pen testing otherwise known as penetration testing via a remote server to begin the infection process. Such testing allows the cyber-criminals to discover vulnerabilities in the network of the targeted devices. Once a vulnerability is found, the ransomware may either use:

  • Stolen login credentials to directly gain access and start running files remotely using a free program called “psexec.exe” which gives those permissions.
  • Vulnerabilities in Java, allowing it to execute a malicious script.

Samas Ransomware In Detail

This crypto-malware uses a combination of different viruses each one performing different activities. First, it is reported by researchers to use an infostealer called Derusbi or Bladabindi. The second tool which is used by this malware is called PsExec, and its executable psexec.exe is configured to start programs on the infected computer remotely.

Besides those tools, Samas also may use two variants of the Trojan: Samas infection. This is what appears to be a BAT(Batch file) type of Trojan which may use several commands. One of those commands is the privilege escalating vssadmin command via vssadmin.exe, for example:

→ vssadmin delete shadows /for={DrivePartition} [/oldest | /all | /shadow={Identification of the shadow copies}] [/quiet]

This type of command may be used by Samas to delete the backup of your computer after which it may start encrypting your data.

Furthermore, Samas ransomware kit downloads yet another malware on the infected user’s computer – an MSIL (Microsoft Intermediate Language) ransomware which uses a very strong encryption algorithms – the AES and RSA cyphers.

The Encryption Process

The Ransomware may look for the usual and most used file extensions to encode. The encoded files are reported to be left with an added “encrypted.RSA” file extension, for example:

→ New Text Document.txt.encrypted.RSA

Both encryption algorithms used by the ransomware (RSA and AES) which are classified to be a Suite.B encoding language, are designed for concealing top secret files. The strength of the cypher is relatively impenetrable since it would take a powerful computer tens of years to decrypt a file if it doesn’t break by then. What Samas does is that it encrypts the files using the AES encryption algorithm. After this, it generates a custom encryption key and encrypts it with the RSA encryption algorithm, similar to the graph below:

graph-sensorstechforum

After encrypting the data, Samas leaves a custom ransom note. Users on bleeping computer report the ransom message to be in a file named “HELPDECYPRT_YOUR_FILES.html” located in each folder where files are encrypted. The ransom note is reported to be the following:

→ “#What happened to your files?
All of your important files encrypted with RSA-2048, RSA-2048 is a powerful cryptography algorithm
For more information you can use Wikipedia
*attention: Don’t rename or edit encrypted files because it will be impossible to decrypt your files
#How to recover files?
RSA is an asymmetric cryptographic algorithm You need two key
1-Public key: you need it for encryption
2-Private Key: you need it for decryption
So you need Private key to recover your files.
It’s not possible to recover your files without private key.
#How to get private key?
You can receive your Private Key in 3 easy steps:
Step1: You must send us One Bitcoin about (430$) for each affected PC to receive Private Key.
Step2: After you send us one Bitcoin, Leave a comment on our blog with these detail: Your Bitcoin transaction reference + Your Computer name
*Your Computer name is:{PC NAME}
Step3: We will reply to your comment with a decryption software, You should run it on your affected PC, and all encrypted files will be recovered
*Our blog address: key93939393.wordpress.com
*Our Bitcoin address: {Cyber crooks’ bitcoin address}”

In addition to that, this ransomware may come in different variations since researchers believe that it may be a part of a RaaS (Ransomware as a Service) scheme. This means it may be sold to anybody interested on the black market. Not only this, but researchers also reported that the cyber-crooks behind this ransomware evolve it constantly, for example, they may change the payment addresses, methods of contacting them anonymously and other details.

Remove Samas Ransomware and Restore Your Files

To remove this cyber-threat, you must identify all of the objects associated with it, whether they are files or registry sub-keys and values that are modified or newly made. To do this effectively, we advise to use the removal instructions below and neutralize this threat permanently with a particular anti-malware software.

Regarding the direct decryption of your files, there has not been a solution yet, but we will keep posting updates as soon as there is a direct solution. Meanwhile, you can try the decryptors and file restoration software as well as browse shadow copies of your PC, all of which can be downloaded from step “4. Restore files encrypted by Samas Ransomware”. These are general methods, and they may restore your important files partially. Meanwhile, you may follow our security forum, ask questions on how to use the software and discuss Samas Ransomware.

1. Boot Your PC In Safe Mode to isolate and remove Samas
2. Remove Samas with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by Samas in the future
4. Restore files encrypted by Samas
Optional: Using Alternative Anti-Malware Tools
NOTE! Substantial notification about the Samas threat: Manual removal of Samas requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.