Ransomware Research
SamSam Ransomware
SamSam is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on May 1, 2016, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Samas, SAM.
Quick Facts
- Ransomware Family
- SamSam
- First Seen
- May 1, 2016
- Known Aliases
- SamasSAM
How SamSam Ransomware Works
Targeted Files
Requires parameter (file with RSA pub key (2048 bits)) https://app.any.run/tasks/e60d8876-5f38-4f70-8978-1df8bd60e4a5/ https://www.bleepingcomputer.com/news/security/samsam-ransomware-hits-hospitals-city-councils-ics-firms/ https://blog.talosintelligence.com/samsam-evolution-continues-netting-over/
File Encryption Patterns
SamSam modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..encryptedRSA
..justbtcwillhelpyou
..btcbtcbtc
..btc-help-you
..only-we_can-help_you
..iwanthelpuuu
..notfoundrans
..checkdiskenced
..VforVendetta
..happenencedfiles
..Whereisyourfiles
..helpmeencedfiles
..wowwhereismyfiles
..wowreadfordecryp
..powerfulldecrypt
..otherinformation
..letmetrydecfiles
..encryptedyourfiles
..weencedufiles
..filegofprencrp
..iaufkakfhsaraf
..cifgksaffsfyghd
..vekanhelpu
..moments2900
..country82000
..supported2017
..prosperous666
..disposed2017
..myransext2017
..areyoulovemyrans
..weapologize
..JayTHL
..breeding123
..mention9823
..greystars@protonmail.com
..encryptedAES
..encedRSA
..stubbin
..berkshire
Ransom Note and Payment Demands
After encrypting files, SamSam displays ransom notes demanding payment for file recovery:
HELP_DECRYPT_YOUR_FILES.html
HELP_FOR_DECRYPT_FILE.html
Ransom message:
notes/HELP_FOR_DECRYPT_FILE.html
Note locations:
EveryFolder
/^\d{3}-HELP_FOR_DECRYPT_FILE\.html\b/
Ransom message:
notes/009-HELP_FOR_DECRYPT_FILE.html
Note locations:
EveryFolder
READ-FOR-HELLPP.html
Ransom message:
notes/READ-FOR-HELLPP.html
Note locations:
EveryFolder
/^\d{3}-PLEASE-READ-WE-HELP\.html\b/
Note locations:
EveryFolder
/^\d{3}-HAPPEN-ENCED-FILES\.html\b/
Note locations:
EveryFolder
WHERE-YOUR-FILES.html
HELP-ME-ENCED-FILES.html
/^\d{3}-PLS-DEC-MY-FILES\.html\b/
/^\d{3}-WOW-READ-FOR-DECRYP\.html\b/
/^(\d{3}-)?WE-MUST-DEC-FILES\.html\b/
Ransom message:
notes/000-WE-MUST-DEC-FILES.html
Note locations:
EveryFolder
/^(\d{3}-)?IF-YOU-WANT-DEC-FILES\.html\b/
/^(\d{3}-)?LET-ME-TRY-DEC-FILES\.html\b/
/^(\d{3}-)?READ-FOR-DECRYPT-FILES\.html\b/
/^(\d{3}-)?READ-READ-READ\.html\b/
Ransom message:
notes/READ-READ-READ.html
Note locations:
EveryFolder
PLEASE-READIT-IF_YOU-WANT.html
IF_WANT_FILES_BACK_PLS_READ.html
READ_READ_DEC_FILES.html
WE-CAN-HELP-U.html
/^(\d{3}-)?PLEASE-README-AFFECTED-FILES\.html\b/
Ransom message:
notes/PLEASE-README-AFFECTED-FILES.html
Note locations:
EveryFolder
/^(\d{3}-)?PLEASE-README-HOWTO-RECOVERY\.html\b/
Ransom message:
notes/PLEASE-README-HOWTO-RECOVERY.html
Note locations:
EveryFolder
/^(\d{3}-)?DO-YOU-WANT-FILES\.html\b/
/^(\d{4}-)?DO-YOU-WANT-FILES\.html\b/
/^(\d{4}-)?SORRY-FOR-FILES\.html\b/
FuckYouJayTHL_HELP_ENCRYPTED_FILES.TXT
Ransom message:
notes/FuckYouJayTHL_HELP_ENCRYPTED_FILES.TXT
Note locations:
EveryFolder
Technical Indicators
Associated Executable Files
The following executable files are associated with SamSam ransomware:
showmehowto.exe
flashupon.sav
samsam.exe
wanadoesme.exe
foreswan2.exe
WinDir.exe
sobusy.exe
amqoni2.exe
carnavio2.exe
carnavio2.ex_
toclose.exe
barbosa2.exe
faraway.exe
preguess2.exe
preguess2
emetic45.exe
6c9d69fe-2f7e-2301-f598-738e7b987644_1d2525ef547865f
a7dfbbe7-67c9-f440-cd2c-95bc374b9cc7_1d25252b0838a60
4bb8c2ae-6a2a-6d46-a252-1e3532bded93_1d24f7681546273
alt6982.tmp
alt6859.tmp
ana_test.abc
way3.exe
cheerful2.exe
2768784_cheerful2.exe
convinced2.exe
valley2.exe
ConsoleApplication2.exe
Test
Test.exe
sam1.exe
updatewin3.exe
U398ZPS5.exe
barbimos2.exe
Elastio Can Help You
Don't let SamSam ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This SamSam ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like SamSam.
Last updated: July 30, 2025