SecurityHome.eu Ransom:MSIL/Samas

Home / malware PDF

Ransom:MSIL/Samas

First posted on 15 February 2019.
Source: Microsoft
Aliases :
There are no other names known for Ransom:MSIL/Samas.
Explanation :
Installation

This malware is dropped in the as samsam.exe with a key _PublicKey.xml which is used to encrypt the file in the system.

Payload

Encrypts your files

This malware searches for files in all folders with the following extensions and then encrypts them:

.3dm

.crw

.iiq

.otp

.sdf

.3ds

.cs

.incpas

.ots

.sldm

.3fr

.csh

.indd

.ott

.sldx

.3g2

.csl

.jar

.p12

.sql

.3gp

.csv

.java

.p7b

.sqlite

.3pr

.dac

.jpe

.p7c

.sqlite3

.7z

.db

.jpeg

.pab

.sqlitedb

.ab4

.db3

.jpg

.pages

.sr2

.accdb

.dbf

.jsp

.pas

.srf

.accde

.db-journal

.kbx

.pat

.srt

.accdr

.dbx

.kc2

.pbl

.srw

.accdt

.dc2

.kdbx

.pcd

.st4

.ach

.dcr

.kdc

.pct

.st5

.acr

.dcs

.key

.pdb

.st6

.act

.ddd

.kpdx

.pdd

.st7

.adb

.ddoc

.lua

.pdf

.st8

.ads

.ddrw

.m

.pef

.std

.agdl

.dds

.m4v

.pem

.sti

.ai

.der

.max

.pfx

.stw

.ait

.des

.mdb

.php

.stx

.al

.design

.mdc

.php5

.svg

.apj

.dgc

.mdf

.phtml

.swf

.arw

.djvu

.mef

.pl

.sxc

.asf

.dng

.mfw

.plc

.sxd

.asm

.doc

.mmw

.png

.sxg

.asp

.docm

.moneywell

.pot

.sxi

.aspx

.docx

.mos

.potm

.sxi

.asx

.dot

.mov

.potx

.sxm

.avi

.dotm

.mp3

.ppam

.sxw

.awg

.dotx

.mp4

.pps

.tex

.back

.drf

.mpg

.ppsm

.tga

.backup

.drw

.mrw

.ppsx

.thm

.backupdb

.dtd

.msg

.ppt

.tib

.bak

.dwg

.myd

.pptm

.tif

.bank

.dxb

.nd

.pptx

.tlg

.bay

.dxf

.ndd

.prf

.txt

.bdb

.dxg

.nef

.ps

.vob

.bgt

.eml

.nk2

.psafe3

.wallet

.bik

.eps

.nop

.psd

.war

.bkf

.erbsql

.nrw

.pspimage

.wav

.bkp

.erf

.ns2

.pst

.wb2

.blend

.exf

.ns3

.ptx

.wmv

.bpw

.fdb

.ns4

.py

.wpd

.c

.ffd

.nsd

.qba

.wps

.cdf

.fff

.nsf

.qbb

.x11

.cdr

.fh

.nsg

.qbm

.x3f

.cdr3

.fhd

.nsh

.qbr

.xis

.cdr4

.fla

.nwb

.qbw

.xla

.cdr5

.flac

.nx2

.qbx

.xlam

.cdr6

.flv

.nxl

.qby

.xlk

.cdrw

.fmb

.nyf

.r3d

.xlm

.cdx

.fpx

.oab

.raf

.xlr

.ce1

.fxg

.obj

.rar

.xls

.ce2

.gray

.odb

.rat

.xlsb

.cer

.grey

.odc

.raw

.xlsm

.cfp

.gry

.odf

.rdb

.xlsx

.cgm

.h

.odg

.rm

.xlt

.cib

.hbk

.odm

.rtf

.xltm

.class

.hpp

.odp

.rw2

.xltx

.cls

.htm

.ods

.rwl

.xlw

.cmt

.html

.odt

.rwz

.xml

.cpi

.ibank

.oil

.s3db

.ycbcra

.cpp

.ibd

.orf

.sas7bdat

.yuv

.cr2

.ibz

.ost

.say

.zip

.craw

.idx

.otg

.sd0

.crt

.iif

.oth

.sda

It renames the encrypted files by adding "encrypted.RSA" to their extension, for example:

Help.txt-> Help.txt.encrypted.RSA

It then creates the file HELP_DECRYPT_YOUR_FILES.html in the root folder of the encrypted files as well as in the %Desktop% folder.

This html file contains the instructions on how to decrypt the files by asking you to pay a fee:

Note: Click to enlarge the image so you can see the message clearly.

After encrypting your files, this malware automatically deletes itself to remove its traces in the system.

Analysis Ric Robielos
Last update 15 February 2019

TOP

Malware :

Last 20