samsam-ransomware

SamSam Ransomware Recovery, Payment & Decryption Statistics

The information below describes relevant statistics of SamSam ransomware recovery, payment and decryption. The recovery process of SamSam ransomware includes identifying the strain and the risk associated with pursuing a ransom payment for data decryption. Please review the information below, or contact our support team, to learn more about SamSam ransomware recovery, payment and decryption statistics.

Report a SamSam attack →
 
 
 

HOW MUCH ARE SAMSAM RANSOMWARE RANSOM DEMANDS?

SamSam ransomware payments are typically much higher than the ransomware marketplace average. This is due to the specialized and bespoke nature of the attacks. SamSam hackers are known to not broadly syndicate their ransomware and pick their targets after close diligence.

SAMSAM RANSOMWARE: RANSOM AMOUNTS

SamSam Ransomware average ransom vs ransomware marketplace

AVERAGE LENGTH OF SAMSAM INCIDENT

The amount of time from reporting to full data recovery of a SamSam Ransomware incident

HOW LONG DOES IT TAKE TO RECOVER FROM A SAMSAM RANSOMWARE ATTACK?

SamSam ransomware incidents are usually much shorter in duration than other attacks due to the streamlined communication, settlement, and decryption delivery that the hacker group has invested in.

Read about Atlanta's SamSam attack.

WHAT DATA RECOVERY RATE IS EXPECTED WHEN PAYING FOR A SAMSAM RANSOMWARE DECRYPTOR?

SamSam Ransomware has a very high data recovery success rate after a ransom payment is made. The decrypter tools are relatively straightforward to use and run efficiently. There is nuance to determining the ID-host names that should be vetted carefully by an expert prior to paying though.

SAMSAM RANSOMWARE CASE OUTCOMES

The outcome of SamSam Ransomware incidents
 

Immediate SAMSAM Ransomware Help

For immediate assistance contact us or call 24/7 Support: (203) 442-4050

Name


DHARMA RANSOMWARE NOTE #1: MULTICOLORED

 

SAMSAM RANSOMWARE FREQUENTLY ASKED QUESTIONS

 

1. ARE THERE FREE SAMSAM DECRYPTION TOOLS?

As of page publication (December, 2019) there are no SamSam decryption tools. If you submit a file example to us, we will have a look for free and let you know. There are also good free websites that you can upload a sample file to and independently check. You should NOT pay a data recovery firm or any other service provider to research your file encryption. They will use the same free resources noted above… so don’t waste your money or time! SamSam encrypts with AES / RSA, and then demands a ransom of 1 bitcoin or more to restore files.

This is an example of a tool provided by the hacker:

SamSam ransomware tool

2. HOW DID I GET INFECTED WITH SAMSAM RANSOMWARE?

Vulnerabilities are surfaced via a tool called JexBoss to detect vulnerable systems with older versions of JBOSS and then run attack for remote installation of a web shell. It identifies other connected servers to the network system and introduces the payload for file encryption on the network devices. SamSam encrypts on all computers in the network. SamSam launches on a compromised machine an executable (samsam.exe) and encrypts with a combination of AES-256 (CBC) + RSA-2096. Typical means on entry include unprotected RDP configuration, email phishing and malicious attachments, downloads, application patch exploits & vulnerabilities or web injections.

3. WHAT ARE THE KNOWN SAMSAM FILE EXTENSIONS?

.3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .agdl, .ai, .ait, .al, .apj, .arw, .asf, .asm, .asp, .aspx, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkf, .bkp, .blend, .bpw, .c, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .cib, .class, .cls, .cmt, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csv, .dac, .db, .db3, .dbf, .db-journal, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw , .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flv, .fmb, .fpx, .fxg, .gray, .grey, .gry, .h, .hbk, .hpp, .htm, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .jar, .java, .jpe, .jpeg, .jpg, .jsp, .kbx, .kc2, .kdbx, .kdc, .key, .kpdx, .lua, .m, .m4v, .max, .mdb, .mdc, .mdf, .mef, .mfw, .mmw, .moneywell, .mos, .mov, .mp3, .mp4, .mpg, .mrw, .msg, .myd, .nd, .ndd,.nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbl, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .php5, .phtml, .pl, .plc, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .r3d, .raf, .rar, .rat, .raw, .rdb, .rm, .rtf, .rw2, .rwl, .rwz, .s3db, .sas7bdat, .say, .sd0, .sda, .sdf, .sldm, .sldx, .sql, .sqlite , .sqlite3, .sqlitedb, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tib, .tif, .tlg, .txt, .vob, .wallet, .war, .wav, .wb2, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .ycbcra, .yuv

4. WHAT DOES A SAMSAM RANSOM NOTICE LOOK LIKE?

SamSam ransomware hackers will leave a notice behind that will be prominent and easy to find. It commonly looks like like the image below. It includes contact information for the hacker and instructions on how to purchase cryptocurrency to pay the ransom.

Note: We do not advise that any person or company contact a hacker and negotiate directly. Cyber criminals can be difficult to communicate with. Let a professional assist you.

Example of a samsam ransomware notice

SamSam ransom note example
 

RANSOMWARE FREQUENTLY ASKED QUESTIONS

 

WHAT INFORMATION DO I NEED TO PROVIDE?

You will need to provide information from both the ransom notice and a sample encrypted file. We will schedule a call to discuss the severity of the attack, the operability of your company and the likely timeline / cost of recovering from the attack. You will also need to provide identifying information on your company, and an authorized representative of your company.

HOW MUCH WILL THIS COST?

You are already being extorted; we don’t think you deserve to pay another large fee. Coveware charges flat per incident fees. Whether the case lasts one week or three weeks, our fees are flat. We do not charge spreads of fees tied to the size of the ransom amount. Our fees will never be even close to the amount of the ransom demanded by the cyber criminal, and you should be skeptical of why any other service provider would charge a fee that high.

WHAT ABOUT FIRMS THAT HAVE TOLD ME THEY CAN DECRYPT MY FILES WITHOUT PAYING THE HACKER?

You should be extremely skeptical of any data recovery firm that claims they can decrypt ransomware. Typically they are just paying the cyber criminal without your knowledge and pocketing the difference between the ransom amount and what they will charge you. Know the facts before you engage. If the ransomware IS decryptable, the tool can be found for free. If not, purchasing a key from the cyber criminal is the only way to unlock your files. While Coveware does not condone paying cyber criminals, we recognize it is often the only choice if backups are not available or have become compromised as well. If that is the case, you deserve an honest, transparent experience.

WILL THE RANSOMWARE PAYMENT BE SUCCESSFUL?

There is no guarantee that paying the ransom will result in a working decryption tool being delivered. However, Coveware believes that data aggregation can help customers make the most informed data-driven decisions. Since we handle lots of cases of the same ransomware types, we are able to share our experiences and help customers decide how to proceed.

HOW DO I UNLOCK MY FILES?

If the ransomware payment is successful, a decryption tool & key is provided by the hacker that can be used to manually decrypt your files.

HOW DO I PREVENT THIS FROM HAPPENING AGAIN?

There are some common security mis-configurations that lead to a ransomware attack. We can share some tips and resources for preventing future attacks, but encourage companies to perform a full forensic review or security assessment as soon as possible. Consistent investment in security IT is the best antidote to preventing future attacks.

 
 
 

WHY CHOOSE COVEWARE RANSOMWARE RECOVERY SERVICES?

 
 
Explore free remediation options

FREE
RANSOMWARE ASSESSMENT

Provide a few details from the ransom notice, an example encrypted file and details of the operability of your company and budget/time. We will provide context into the severity of the attack and your options for decryption and recovery using our database of similar cases.

  • Identify Ransomware Type

  • Find free Decryptor tools

  • Identify Threat Actor Group

Threat actor negotiations

24x7 SUPPORT
- RANSOMWARE INCIDENT RESPONSE

We have deep experience communicating and negotiating with hackers. It’s what we do all day long! Take advantage of our experience and allow us to shoulder this burden.

  • Secure & safe negotiations

  • Proactive service

  • Transparent communications

  • Determine Risks & Outcomes

Restore data and end downtime

FILE DECRYPTION
& RECOVERY SUPPORT

Coveware has access to a ready supply of any crypto currency, and offers a 15 minute disbursement service level agreement. We also support the decryption/data recovery process.

  • Professional IT support

  • Insurance documentation

  • Post-incident follow up

  • Post-incident support

 

How does Coveware help our partners?

 
 
 

* Source: CDNet