Ransomware Research

SamSam Ransomware

SamSam is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on May 1, 2016, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: Samas, SAM.

Quick facts

Ransomware Family

SamSam

First Seen

May 1, 2016

Known Aliases

SamasSAM

How SamSam ransomware works

File encryption patterns

SamSam modifies encrypted files using specific patterns to mark them as encrypted:

Extensions added after encryption

.encryptedRSA.justbtcwillhelpyou.btcbtcbtc.btc-help-you.only-we_can-help_you.iwanthelpuuu.notfoundrans.checkdiskenced.VforVendetta.happenencedfiles.Whereisyourfiles.helpmeencedfiles.wowwhereismyfiles.wowreadfordecryp.powerfulldecrypt.otherinformation.letmetrydecfiles.encryptedyourfiles.weencedufiles.filegofprencrp.iaufkakfhsaraf.cifgksaffsfyghd.vekanhelpu.moments2900.country82000.supported2017.prosperous666.disposed2017.myransext2017.areyoulovemyrans.weapologize.JayTHL.breeding123.mention9823.greystars@protonmail.com.encryptedAES.encedRSA.stubbin.berkshire

Ransom note and payment demands

After encrypting files, SamSam displays ransom notes demanding payment for file recovery:

fileHELP_DECRYPT_YOUR_FILES.html

fileHELP_FOR_DECRYPT_FILE.html

notes/HELP_FOR_DECRYPT_FILE.html

Location: EveryFolder

file/^\d{3}-HELP_FOR_DECRYPT_FILE\.html\b/

notes/009-HELP_FOR_DECRYPT_FILE.html

Location: EveryFolder

fileREAD-FOR-HELLPP.html

notes/READ-FOR-HELLPP.html

Location: EveryFolder

file/^\d{3}-PLEASE-READ-WE-HELP\.html\b/

Location: EveryFolder

file/^\d{3}-HAPPEN-ENCED-FILES\.html\b/

Location: EveryFolder

fileWHERE-YOUR-FILES.html

fileHELP-ME-ENCED-FILES.html

file/^\d{3}-PLS-DEC-MY-FILES\.html\b/

file/^\d{3}-WOW-READ-FOR-DECRYP\.html\b/

file/^(\d{3}-)?WE-MUST-DEC-FILES\.html\b/

notes/000-WE-MUST-DEC-FILES.html

Location: EveryFolder

file/^(\d{3}-)?IF-YOU-WANT-DEC-FILES\.html\b/

file/^(\d{3}-)?LET-ME-TRY-DEC-FILES\.html\b/

file/^(\d{3}-)?READ-FOR-DECRYPT-FILES\.html\b/

file/^(\d{3}-)?READ-READ-READ\.html\b/

notes/READ-READ-READ.html

Location: EveryFolder

filePLEASE-READIT-IF_YOU-WANT.html

fileIF_WANT_FILES_BACK_PLS_READ.html

fileREAD_READ_DEC_FILES.html

fileWE-CAN-HELP-U.html

file/^(\d{3}-)?PLEASE-README-AFFECTED-FILES\.html\b/

notes/PLEASE-README-AFFECTED-FILES.html

Location: EveryFolder

file/^(\d{3}-)?PLEASE-README-HOWTO-RECOVERY\.html\b/

notes/PLEASE-README-HOWTO-RECOVERY.html

Location: EveryFolder

file/^(\d{3}-)?DO-YOU-WANT-FILES\.html\b/

file/^(\d{4}-)?DO-YOU-WANT-FILES\.html\b/

file/^(\d{4}-)?SORRY-FOR-FILES\.html\b/

fileFuckYouJayTHL_HELP_ENCRYPTED_FILES.TXT

notes/FuckYouJayTHL_HELP_ENCRYPTED_FILES.TXT

Location: EveryFolder

Technical indicators

Associated executable files

The following executable files are associated with SamSam ransomware:

showmehowto.exe
flashupon.sav
samsam.exe
wanadoesme.exe
foreswan2.exe
WinDir.exe
sobusy.exe
amqoni2.exe
carnavio2.exe
carnavio2.ex_
toclose.exe
barbosa2.exe
faraway.exe
preguess2.exe
preguess2
emetic45.exe
6c9d69fe-2f7e-2301-f598-738e7b987644_1d2525ef547865f
a7dfbbe7-67c9-f440-cd2c-95bc374b9cc7_1d25252b0838a60
4bb8c2ae-6a2a-6d46-a252-1e3532bded93_1d24f7681546273
alt6982.tmp
alt6859.tmp
ana_test.abc
way3.exe
cheerful2.exe
2768784_cheerful2.exe
convinced2.exe
valley2.exe
ConsoleApplication2.exe
Test
Test.exe
sam1.exe
updatewin3.exe
U398ZPS5.exe
barbimos2.exe

About this analysis

This SamSam ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery, helping organizations defend against and recover from ransomware attacks like SamSam.

Last updated: December 30, 2025

Detection coverage

Elastio detects SamSam inside your data and backups.

The Hunt Engine uses Deep File Inspection to identify SamSam across live data, replicated data, and backups. If this family is in your environment, Elastio finds it before encryption completes. Run a scan against your recovery points to confirm.

See How the Hunt Engine Works Request a Demo

Recent ransomware

Explore other threats in our database

Wxlongda2025 VeilCrypt2025 TitanLabooboo2025 SolidBit2022 SnapHackLocker2024 PySystemUpdate2025 PySimCrypt2025 Monkey2025 Lol2025 HWID2025

View all ransomware →

SamSam Ransomware

Quick facts

How SamSam ransomware works

File encryption patterns

Ransom note and payment demands

Technical indicators

Associated executable files

About this analysis

Elastio detects SamSam inside your data and backups.

Recent ransomware

Product

Sales

Support

Company

Solutions

Partners

Resources

Security

Social

Compare