This article has been created in order to explain what is the .weapologize SamSam ransomware virus and explain how to remove it fully from your computer system and how to try and restore RSA encrypted files by it.
‘0000-SORRY-FOR-FILES.html’ is the ransom note which is left on the victims computers, after they have been infected by the latest version of SamSam ransomware. Even though the ransomware infection may add different file extensions, some of the infected users and companies have reported that primarily the file suffix .weapologize has been added to the encrypted files after they are no longer openable. The virus is believed to use RSA encryption, which is generally difficult to decrypt and asks for 1 BTC of ransom payoff. If your computer has been infected by the .weapologize variant of SamSam ransomware, we recommend that you read the following article to learn how to remove it from your computer and how to try and restore files that have been encrypted by this version of SamSam ransomware.
|Short Description||The ransomware encrypts files with RSA encryption cipher and asks a ransom payment of 1 BTC for decryption.|
|Symptoms||Files are encrypted with RSA encryption and become inaccessible with an added .weapologize file extension to them. A ransom note with instructions for paying the ransom shows as 000-SORRY-FOR-FILES.html file.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by SamSam .weapologize |
Malware Removal Tool
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
SamSam .weapologize Ransomware – Distribution Methods
In order to cause an infection to maximum amount of victims, the cyber-criminals who spread the virus files of SamSam may use different tactics, that can be proactive and passive. If they use proactive tactics, this means that it is likely your computer may have gotten infected with the .weapologize variant of SamSam ransomware via e-mail spam messages. Such messages are believed to be various different deceitful messages, that aim to convince inexperienced future victims that they come from legitimate companies. Most often in such cases, big company names from the likes of PayPal, eBay, Amazon or others are used to increase the trust in the user, for example the fake e-mail containing an infection link that looks like a PayPal button below:
In addition to this, the infection file of SamSam ransomware is also believed to likely be spread via more passive methods as well, for example:
- Via fake setups of programs.
- Via fake game patches or cracks.
- Via fraudulent software license activators.
- Fake key generators.
SamSam .weapolgize Ransomware – Malicious Activity
In addition to this, the SamSam .weapologize malware is not originally a single virus. It uses a combination of viruses, among which are the following:
- Derusbi infostealer for stealing information.
- Bladabindi infostealer for stealing credentials.
- PsExec to start programs on the infected system from distance.
After these tools have been used on the victim’s computer, the ransomware also uses an element from the Samas Trojan, which runs a Batch command in Windows command prompt that deletes the shadow volume copies on the infected computer system. The command is as follows:
→ C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet
After this has been done, the .weapologize version of SamSam ransomware aims to display it’s ransom note, named ‘0000-SORRY-FOR-FILES.html’, which looks like the following:
Text from image:
What happened to your files?
All your files encrypted with RSA-2048 encryption, For more information search in Google ‘RSA Encryption’
How to recover files?
RSA is a asymmetric cryptographic algorithm, You need one key for encryption and one key for decryption
So you need Private key to recover your files.
It’s not possible to recover your files without private key
How to get private key?
You can get your private key in 3 easy step:
Stepl: You must send us 0.7 BitCoin for each affected PC OR 3 BitCoins to receive ALL Private Keys for ALL affected PC’s.
Step2: After you send us 0.7 BitCoin, Leave a comment on our Site with this detail: Just write Your ‘Host name’ in your comment
Your Host name is:
Step3: We will reply to your comment with a decryption software, You should run it on your affected PC and all encrypted files will be recovered
Our Site Address: http://jcmi5n4c3mvgtyt5.onion/familiarisingly/
Our BitCoin Address: 1MdthqRCJe825ywjdbijsttWBpKanR
(If you send us 3 BitCoins For all PC’s, Leave a comment on our site with this detail: Just write ‘For All Affected PC‘s’ in your comment)
(Also if you want pay for ‘all affected PC‘s’ You can pay 1.5 Bitcoins to receive half of keys(randomly) and after you verify it send 2nd half to receive all
How To Access To Our Site
For access to our site you must install Tor browser and enter our site URL in your tor browser.
You can download tor browser from https://www.torproject.org/download/download.html.en
For more information please search in Google ‘How to access onion sites’
Check our site, You can upload 2 encrypted files and we will decrypt your files as demo.
If you are worry that you don’t get your keys after you paid, You can get one key for free on you choise(except important servers), Te
Also you can get some single key and if all single BTC taht you paid reached to all keys price you will get all keys
Anyway be sure that you will get all your keys if you paid for them and we don’t want damage our reliability
with buying the first key you will find that we are honest.
.weapologize SamSam Ransomware – Encryption Process
In order to encrypt the files on the computer of victims, the SamSam ransomware uses the so-called RSA encryption cipher, which is known as Rivest-Shamir-Adleman and is part of the Suite.B category of encoding languages. The SamSam .weapologize ransomware performs the encryption activities in the following order, according to previous reports:
After the file encryption process has completed, the SamSam virus leaves the files with the .weapologize suffix and they begin to appear like the following image:
Remove SamSam Ransomware and Restore .weapologize Encrypted Files
In order for you to successfully remove this ransomware infection from your computer system, we advise that you follow the removal instructions down below. They are specifically designed in order to help you by explaining how to delete the objects created by this ransomware either manually or automatically. If you lack the experience in removing this ransomware virus manually, security researchers strongly advise to do so automatically, preferably by downloading an advanced anti-malware software. Such program will ensure that this malware will be automatically removed and your PC will stay protected against future infections as well.
If you want to restore files, that have been encrypted with an added .weapologize file extension to them, we would advise that you follow the alternative methods for file recovery down below in step ‘2. Restore files encrypted by SamSam .weapologize’ . They are created In order to help you restore as many files as possible without paying the ransom, even though they are not a guarantee that you will restore all of the files.