Fuck You SAMSAM creators

The joke is on you! You tried to encrypt all my data, but my data was stored on one drive, accessed by two computers! So yes, you might have encrypted it on one, but it went into the recycle bin on the other and I was able to restore without having to pay your $5,000 fee. So fuck you, fuck your attempt at blackmail, and may you get the same treatment out of life that you have given others.

I support this pitting.

Hi, I work for a security vendor that is investigating SamSam, could I talk to you about this attack? How do you know it was SamSam?

The current ransom demand for all encrypted machines is 7 BTC which is roughly $40k, they also offer 0.8 BTC for individual machines, which is just under $5k, i assume that is the amount you are referring too?

Nice try, Mr. SamSam.

Well, I am not 100% positive it’s Sam Sam. Microsoft’s One Drive had a link to a support page that allowed you to upload a sample file. It identified it as SAMSAM and said there was no known recovery. When I found the files in my recycle bin on my lap top, I was feeling all “SUCK IT” so I had to pit them.

Yes, I rounded to 5,000 because I didn’t remember the exact number.

The files that were encrypted will all have a new file extension at the end and there will be ransom notes in the folders with encrypted files and on the desktop.

Do you know what the file extension was and the name of the ransom note file?

How were you vulnerable to this attack in the first place and have you remedied that issue? What should people (like me!) do to avoid this kind of thing?

xxxx-SORRY-FOR-FILES.HTML where xxxx starts at 0000 and increments up. The file extension is .weapologize.

If you’re interested, here’s a screenshot of a directory I haven’t cleaned yet. It is an IMGUR link. I was going to see if I could get a hex editor and reverse engineer the encryption algorithm, since I have both the starting and ending points.
I was made vulnerable because I was using One Drive to make it easy to work from home so I had it on both my work computer and my home computer. It was my work computer that got infected and I used my home computer to recover. Our security team is still investigating where the breach came from.

I work for the security firm Sophos, I lead a team of researchers that have been investigating SamSam for the last 6 months. If your security team wants answers I can help.

They can contact me on Twitter: @AltShiftPrtScn (PeterM)

Are you able to show me a screenshot of the ransom note? it will open in a browser and isn’t malicious.

Also the most common way the SamSam attacker gains access to a network is brute forcing RDP accounts. Your company should make sure the RDP port (default is 3389) is not open to the internet and instead restricted to specific IP addresses/ranges.

That’s free help I am offering, just to clarify.

That’s free help I am offering, just to clarify.

I’ll mention it to them tomorrow, but I’m in no position to make any commitments. I do know our security people are working closely with McAfee and RDP was indeed mentioned. I’ll see about getting a screenshot of the .html later tonight.

Here’s a copy of the ransom note.