Attention: We have transitioned to a new AAD or
Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at
Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Provide feedback
Send us feedback
Tell us about your experience
Submit feedback
Thank you for your feedback
Published Oct 13, 2014
|
Updated Sep 15, 2017
Ransom:MSIL/Samas.A
Summary
Windows Defender Antivirus detects and removes this threat.
This ransomware family encrypts the files on your PC. It shows you a message that says you must pay for decryption software to get access to your files again.
You can read more about this type of threat on our ransomware page .
Technical information
Threat behavior Installation
This malware is dropped in the <system folder> as samsam.exe with a key <ComputerName>_PublicKey.xml which is used to encrypt the file in the system.
Payload
Encrypts your files
This malware searches for files in all folders with the following extensions and then encrypts them:
.3dm
.crw
.iiq
.otp
.sdf
.3ds
.cs
.incpas
.ots
.sldm
.3fr
.csh
.indd
.ott
.sldx
.3g2
.csl
.jar
.p12
.sql
.3gp
.csv
.java
.p7b
.sqlite
.3pr
.dac
.jpe
.p7c
.sqlite3
.7z
.db
.jpeg
.pab
.sqlitedb
.ab4
.db3
.jpg
.pages
.sr2
.accdb
.dbf
.jsp
.pas
.srf
.accde
.db-journal
.kbx
.pat
.srt
.accdr
.dbx
.kc2
.pbl
.srw
.accdt
.dc2
.kdbx
.pcd
.st4
.ach
.dcr
.kdc
.pct
.st5
.acr
.dcs
.key
.pdb
.st6
.act
.ddd
.kpdx
.pdd
.st7
.adb
.ddoc
.lua
.pdf
.st8
.ads
.ddrw
.m
.pef
.std
.agdl
.dds
.m4v
.pem
.sti
.ai
.der
.max
.pfx
.stw
.ait
.des
.mdb
.php
.stx
.al
.design
.mdc
.php5
.svg
.apj
.dgc
.mdf
.phtml
.swf
.arw
.djvu
.mef
.pl
.sxc
.asf
.dng
.mfw
.plc
.sxd
.asm
.doc
.mmw
.png
.sxg
.asp
.docm
.moneywell
.pot
.sxi
.aspx
.docx
.mos
.potm
.sxi
.asx
.dot
.mov
.potx
.sxm
.avi
.dotm
.mp3
.ppam
.sxw
.awg
.dotx
.mp4
.pps
.tex
.back
.drf
.mpg
.ppsm
.tga
.backup
.drw
.mrw
.ppsx
.thm
.backupdb
.dtd
.msg
.ppt
.tib
.bak
.dwg
.myd
.pptm
.tif
.bank
.dxb
.nd
.pptx
.tlg
.bay
.dxf
.ndd
.prf
.txt
.bdb
.dxg
.nef
.ps
.vob
.bgt
.eml
.nk2
.psafe3
.wallet
.bik
.eps
.nop
.psd
.war
.bkf
.erbsql
.nrw
.pspimage
.wav
.bkp
.erf
.ns2
.pst
.wb2
.blend
.exf
.ns3
.ptx
.wmv
.bpw
.fdb
.ns4
.py
.wpd
.c
.ffd
.nsd
.qba
.wps
.cdf
.fff
.nsf
.qbb
.x11
.cdr
.fh
.nsg
.qbm
.x3f
.cdr3
.fhd
.nsh
.qbr
.xis
.cdr4
.fla
.nwb
.qbw
.xla
.cdr5
.flac
.nx2
.qbx
.xlam
.cdr6
.flv
.nxl
.qby
.xlk
.cdrw
.fmb
.nyf
.r3d
.xlm
.cdx
.fpx
.oab
.raf
.xlr
.ce1
.fxg
.obj
.rar
.xls
.ce2
.gray
.odb
.rat
.xlsb
.cer
.grey
.odc
.raw
.xlsm
.cfp
.gry
.odf
.rdb
.xlsx
.cgm
.h
.odg
.rm
.xlt
.cib
.hbk
.odm
.rtf
.xltm
.class
.hpp
.odp
.rw2
.xltx
.cls
.htm
.ods
.rwl
.xlw
.cmt
.html
.odt
.rwz
.xml
.cpi
.ibank
.oil
.s3db
.ycbcra
.cpp
.ibd
.orf
.sas7bdat
.yuv
.cr2
.ibz
.ost
.say
.zip
.craw
.idx
.otg
.sd0
.crt
.iif
.oth
.sda
It renames the encrypted files by adding "encrypted.RSA " to their extension, for example:
Help.txt-> Help.txt.encrypted.RSA
It then creates the file HELP_DECRYPT_YOUR_FILES.html in the root folder of the encrypted files as well as in the %Desktop% folder.
This html file contains the instructions on how to decrypt the files by asking you to pay a fee:
After encrypting your files, this malware automatically deletes itself to remove its traces in the system.
Analysis Ric Robielos
Prevention
Symptoms
The following could indicate that you have this threat on your PC :
You see this ransom screen:
Debug Version = 1.0.0.0;