SARansom ransomware - How to remove

SARansom ransomware is another virus found by Malware in mid-August, 2018. This crypto infection earns money for the developers by encrypting personal files and asking for a ransom in exchange. The unique feature of SARansom virus is that it asks for unusually high payment of 5BTC (US $32,136.30). Apart from that, every other function works just as expected from the typical file locking malware, like NinjaLoc, Ryuk, Fox, ShutUpAndDance. SARansom sneaks into the PC, modifies the registry and adds malicious files to various directories to get the freedom to proceed with the encryption without being interrupted. After that ransomware drops the ransom note which gives further directions for the victim in order to get their locked files back.

Ransomware is considered to be one of the most notorious types of malware and can be a really-hard-to-solve issue, especially if you do not know much about it. For this reason, we have put together this article explaining more about SARansom ransomware and instructions on how to remove it and restore inaccessible files.

What do you need to know about SARansom virus

To begin with, you should understand the reasoning behind SARansom virus and how it works. Malware developers try to create the most rewarding viruses that are going to bring much revenue without crooks having to work constantly. While browser hijackers and adware are pretty easy to make and distribute yet in order to make a decent profit you need to infect a lot of computers, find collaborating sponsors, process the information and etc. This is why ransom demanding viruses have an advantage over other threats, despite the more difficult development. SARansom simply locks all precious personal files with a mathematical algorithm and tries to sell the decrypting key to the victim for a large amount of money (ransom).

SARansom ransomware specifically uses AES-256 cipher to encrypt victim’s data like documents, pictures, movies, music and etc. After that drops the ransom note simply called ‘RANSOM_NOTE’ and requests 5 BTC (US $32,136.30). Compared to other crypto viruses, that is a very big amount because other ransoms are from around couple hundred to couple thousand. Funny enough, the same MalwareHunterTeam noticed that the presented hacker crypto wallet only got 0.085 BTC (US $546.32).

SARansom RANSOM_NOTE:

DDON’T PANIC!

Your files have been encrypted.
This most unpleasant situation can be solved, however.
For the low fee of 5 bitcoin (BTC), a decrypting program will be provided.
Bitcoin address for transfer: 1C9KikcqP62DoQowKuotEcBN16mcaijbVw
Send evidence of transfer to: [email protected]
A decryption program will be sent once the transfer is complete and verified.

This SARansom virus message does only include the most important information like crook’s email and the requested amount, yet is not as scary as other ransom notes, which claim to delete the locked files and decryption key if the payment won’t be sent in time. This and cipher choice leads to the assumption that developers won’t be seeing these 5 BTC any time soon. Furthermore, SARansom does not add an extension to the locked files. If you’d like to learn more technical details take a look at the Hybrid.

What ways can SARansom ransomware spread

Right now it is evident that SARansom ransomware is distributed via spam emails which end up downloading and launching SARansom.exe file, responsible for SARansom virus installation. (Virus). Ransomware like SARansom prefers this Malspam distribution technique because it was designed to infect both regular computer users and companies, and infected emails are one of the easiest ways to sneak through the Windows security.

Banks, government, and healthcare facilities have recently been the main target for ransomware viruses and maybe that is why the SARansom’s requested amount of 5 BTC is so high because it has intentions to attack large corporations. You can spot the spam email which contains SARansom ransomware by the shady sender’s address (it is usually someone that you do not know), message content (very short text asking to open the link or attachment) and of course attached file or link to bogus resume, receipt, invitation, data records or etc. In order to avoid falling for such a scam take a look at this cyber.

How to deal with SARansom ransomware

Dealing with SARansom ransomware becomes a stressful and confusing matter, especially right after the virus just encrypted your files and presented the scary ransom note. The victim does not know what to do and makes mistakes by deleting the wrong files, resulting in even more damage to the system and data. That is why it is really important not to continue using the computer or try to solve the infection on your own.

The first step towards the clean computer should be the SARansom ransomware removal and only after that, you can begin the file recovery. The quickest and most reliable ransomware eradication method is the automatic removal with an anti-spyware tool like SpyHunter. This security product uses its elaborate virus hunting features and after a quick scan detects SARansom threat and it’s all malicious files in various directories. After that this anti-malware software deletes the harmful data from the system, leaving the computer clean again. If you get infected by a very notorious SARansom ransomware variant, then you might want to try the other anti-spyware tool called Malwarebytes which has a possibility to recover some damaged system files.

Automatic Malware removal tools

How to remove SARansom virus yourself and restore files

Manual removal of SARansom virus can be pretty challenging if you do not have basic computer skills, yet if you still would like to try we have prepared instructions below that should help any proficiency user to delete ransomware from their systems. The reason why we recommend to rather invest into the special anti-malware tool is that it saves time, is easy to use and is a good investment for the future against other threats, furthermore finds the threats that you might not have noticed yourself before.

Unfortunately, at the moment there is no special decryptor for the SARansom ransomware, yet the good news is that it uses the AES cipher which is not that impossible to solve and most likely cryptography specialists will crack the code and release the decryption program in the very near future. Meanwhile just remove the virus so it would not cause any bigger issues and keep the locked files and keep checking the available. Lastly, below we included some basic file recovery options too, which you can try as well while waiting.

How to recover SARansom ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before SARansom ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of SARansom ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to SARansom ransomware. You can check other tools here.  

Step 3. Restore SARansom ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually SARansom ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover SARansom ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.