What is Sad ransomware? And how does it carry out its attack?
Sad ransomware is a malicious threat that encodes data and demands a ransom for 0.3 Bitcoins in exchange for the decryption tool called decrypter.exe to restore files. This file-encrypting threat was first detected on the 3rd of November 2017. Once Sad ransomware is able to enter your system, it connects to a third party server and send information from your computer such as system and network information. It then starts to look into the entire drive searching for files to encrypt. According to researchers, it targets files with the following extensions:
PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX .INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG .CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG
Once it finds the files, it begins to encrypt them using AES 256 cipher and appends random hexadecimal characters. It also drops the following files:
All of these files have slightly different messages. The .png file will be the image set as wallpaper right after Sad ransomware finishes the encryption. The image file contains the following message:
“!!! IMPORTANT INFORMATION !!! SAD RANSOMWARE YOUR FILES HAVE BEEN ENCRYPTED More information about Bitcoins: https://en.wikipedia.org/wiki/Bitcoin More details can be found in _HELPME_DECRYPT_.txt file which you can find on your desktop. Your Personal ID:”
While the .hta file has the following context:
All of your files(documents, photos, databases,…) have been encrypted with AES 256 bit and a private and unique key generated for this computer.
The private key is stored in our servers and the only way to receive your key to decrypt your files is to pay.
The payment has to be done in Bitcoin to a unique address that we generated for you, Bitcoins are a virtual currency to make online payments.
If you don´t know how to get Bitcoins, you can google: “How to Buy Bitcoins” and follow the instructions.
To recover your files and unlock your computer, you must send 0.3 Bitcoins.
We created an easier way to pay, go on this link
Warten Sie mal…hxxps://satoshibox.com/vud52e2qj467i53njq7t34ch”
Moreover, the malware also creates picture.exe file in the Shared folder. According to security experts, Sad ransomware is detected as MSIL.Trojan-Ransom.Sad.A, Ransom.Sad, Ransom.CryptXXX, Ransom_SAD.A and so on. It also seems that the ransomware disguises as tGVkDTIb.exe file.
No matter how desperate you are to get your files back, paying the ransom is not really a solution as you might only get tricked by these crooks – they tend to ignore their victims once they got the payment. The best thing you could do is to recover your file using alternative methods or use any backup copies you have until a free decryptor is available.
How is Sad ransomware distributed?
The malicious file used in installing Sad ransomware to your computer might be distributed using spam emails or it could come through rogue applications from highly malicious websites. Moreover, it could also spread with the use of exploit kits and hide the ransomware under a fake Adobe Flash Player update.
Step1. Open the Task Manager simply by tapping Ctrl + Shift + Esc keys on your keyboard.
Step2. Under the Task Manager, go to the Processes tab and look for tGVkDTIb.exe and any suspicious-looking process which takes up most of your CPU’s resources and is most likely related to Sad ransomware.
Step3. After that, close the Task Manager.
Step4. Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Control Panel’s list of installed programs.
Step5. Under the list of installed programs, look for Burn4Free or Sad ransowmare or anything similar and then uninstall it.
Step6. Next, close Control Panel and tap Win + E keys to launch File Explorer.
Step7. Navigate to the following locations below and look for Sad ransomware’s malicious components such as _HELPME_DECRYPT_.png, _HELPME_DECRYPT_.txt, _HELPME_DECRYPT_.hta, _HELPME_DECRYPT_.html and tGVkDTIb.exe as well as other suspicious files and then delete all of them.
Step8. Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step9. Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step10. Navigate to the following path:
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
Step11. Delete the registry keys and sub-keys created by Sad ransomware.
Step12. Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Sad ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
It is important to make sure that nothing is left behind and that Sad ransomware is completely removed use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.