.weapologize Files Virus (SamSam) - How to Remove - Restore Files

.weapologize Files Virus (SamSam) – How to Remove – Restore Files

This article has been created in order to explain what is the .weapologize SamSam ransomware virus and explain how to remove it fully from your computer system and how to try and restore RSA encrypted files by it.

‘0000-SORRY-FOR-FILES.html’ is the ransom note which is left on the victims computers, after they have been infected by the latest version of SamSam ransomware. Even though the ransomware infection may add different file extensions, some of the infected users and companies have reported that primarily the file suffix .weapologize has been added to the encrypted files after they are no longer openable. The virus is believed to use RSA encryption, which is generally difficult to decrypt and asks for 1 BTC of ransom payoff. If your computer has been infected by the .weapologize variant of SamSam ransomware, we recommend that you read the following article to learn how to remove it from your computer and how to try and restore files that have been encrypted by this version of SamSam ransomware.

Threat Summary

NameSamSam .weapologize
Short DescriptionThe ransomware encrypts files with RSA encryption cipher and asks a ransom payment of 1 BTC for decryption.
SymptomsFiles are encrypted with RSA encryption and become inaccessible with an added .weapologize file extension to them. A ransom note with instructions for paying the ransom shows as 000-SORRY-FOR-FILES.html file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by SamSam .weapologize


Malware Removal Tool

Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

SamSam .weapologize Ransomware – Distribution Methods

In order to cause an infection to maximum amount of victims, the cyber-criminals who spread the virus files of SamSam may use different tactics, that can be proactive and passive. If they use proactive tactics, this means that it is likely your computer may have gotten infected with the .weapologize variant of SamSam ransomware via e-mail spam messages. Such messages are believed to be various different deceitful messages, that aim to convince inexperienced future victims that they come from legitimate companies. Most often in such cases, big company names from the likes of PayPal, eBay, Amazon or others are used to increase the trust in the user, for example the fake e-mail containing an infection link that looks like a PayPal button below:

In addition to this, the infection file of SamSam ransomware is also believed to likely be spread via more passive methods as well, for example:

  • Via fake setups of programs.
  • Via fake game patches or cracks.
  • Via fraudulent software license activators.
  • Fake key generators.

SamSam .weapolgize Ransomware – Malicious Activity

SamSam (also known as Samas) has been reported to download it’s malicious payload after infection from a third-party C&C server. The malicious payload usually consists of various different types of files and something, called PsExec. Unlike your traditional ransomware virus, this variant of SamSam firstly employs a penetration testing object by a remote server, which begins the actual infection activity. Such pentest allows the cyber-crooks to discover any vulnerabilities on your system or enterprise network during the infection. Once they find a weakness, they use the psexec.exe file to exploit this vulnerability, whether they use a malicious JavaScript or an RDP(remote desktop protocol) exploit.

In addition to this, the SamSam .weapologize malware is not originally a single virus. It uses a combination of viruses, among which are the following:

  • Derusbi infostealer for stealing information.
  • Bladabindi infostealer for stealing credentials.
  • PsExec to start programs on the infected system from distance.

After these tools have been used on the victim’s computer, the ransomware also uses an element from the Samas Trojan, which runs a Batch command in Windows command prompt that deletes the shadow volume copies on the infected computer system. The command is as follows:

→ C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

After this has been done, the .weapologize version of SamSam ransomware aims to display it’s ransom note, named ‘0000-SORRY-FOR-FILES.html’, which looks like the following:

Text from image:

What happened to your files?
All your files encrypted with RSA-2048 encryption, For more information search in Google ‘RSA Encryption’
How to recover files?
RSA is a asymmetric cryptographic algorithm, You need one key for encryption and one key for decryption
So you need Private key to recover your files.
It’s not possible to recover your files without private key
How to get private key?
You can get your private key in 3 easy step:
Stepl: You must send us 0.7 BitCoin for each affected PC OR 3 BitCoins to receive ALL Private Keys for ALL affected PC’s.
Step2: After you send us 0.7 BitCoin, Leave a comment on our Site with this detail: Just write Your ‘Host name’ in your comment
Your Host name is:
Step3: We will reply to your comment with a decryption software, You should run it on your affected PC and all encrypted files will be recovered
Our Site Address: http://jcmi5n4c3mvgtyt5.onion/familiarisingly/
Our BitCoin Address: 1MdthqRCJe825ywjdbijsttWBpKanR
(If you send us 3 BitCoins For all PC’s, Leave a comment on our site with this detail: Just write ‘For All Affected PC‘s’ in your comment)
(Also if you want pay for ‘all affected PC‘s’ You can pay 1.5 Bitcoins to receive half of keys(randomly) and after you verify it send 2nd half to receive all
How To Access To Our Site
For access to our site you must install Tor browser and enter our site URL in your tor browser.
You can download tor browser from https://www.torproject.org/download/download.html.en
For more information please search in Google ‘How to access onion sites’
Test Decryption
Check our site, You can upload 2 encrypted files and we will decrypt your files as demo.
If you are worry that you don’t get your keys after you paid, You can get one key for free on you choise(except important servers), Te
Also you can get some single key and if all single BTC taht you paid reached to all keys price you will get all keys
Anyway be sure that you will get all your keys if you paid for them and we don’t want damage our reliability
with buying the first key you will find that we are honest.

.weapologize SamSam Ransomware – Encryption Process

In order to encrypt the files on the computer of victims, the SamSam ransomware uses the so-called RSA encryption cipher, which is known as Rivest-Shamir-Adleman and is part of the Suite.B category of encoding languages. The SamSam .weapologize ransomware performs the encryption activities in the following order, according to previous reports:

After the file encryption process has completed, the SamSam virus leaves the files with the .weapologize suffix and they begin to appear like the following image:

Remove SamSam Ransomware and Restore .weapologize Encrypted Files

In order for you to successfully remove this ransomware infection from your computer system, we advise that you follow the removal instructions down below. They are specifically designed in order to help you by explaining how to delete the objects created by this ransomware either manually or automatically. If you lack the experience in removing this ransomware virus manually, security researchers strongly advise to do so automatically, preferably by downloading an advanced anti-malware software. Such program will ensure that this malware will be automatically removed and your PC will stay protected against future infections as well.

If you want to restore files, that have been encrypted with an added .weapologize file extension to them, we would advise that you follow the alternative methods for file recovery down below in step ‘2. Restore files encrypted by SamSam .weapologize’ . They are created In order to help you restore as many files as possible without paying the ransom, even though they are not a guarantee that you will restore all of the files.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share