Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Sanction Ransomware and Restore .Sanction Encrypted Files

Update! Apparently, a new variant of this ransomware has been spotted in the wild. The new variant bears the name of Rush ransomware and encrypts files with a .crashed extension. For more detailed information, take a closer look at the article about Rush ransomware.

There is a SensorsTechForum-sanction-ransomware-ransom-message-note ransomware called Sanction. Its name comes from the extension .Sanction it attaches to encrypted files. For encryption, the ransomware uses an RSA-256 bit algorithm. The ransom asks payment of 3 Bitcoins within the first 72 hours after encryption.

To remove the ransomware and see how to try restoring your files, you should read the article.

Threat Summary

Name Sanction
Type Ransomware
Short Description The ransomware encrypts files with 256 bit RSA algorithm and demands a ransom for decryption.
Symptoms Files get encrypted and become inaccessible. A ransom message with instructions for paying the ransom is in a file that appears on your desktop.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Sanction

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss Sanction.

Sanction Ransomware – Delivery

Sanction ransomware can be delivered various ways. One is via spam emails which contain an attachment with a malicious file. If that attachment is opened, it will automatically inject malware inside your PC. Malicious code can also hide in the text of the email itself. That signifies that you can be infected only from opening the email, regardless if you opened the attachment. Exploit kits are not used to distribute this variant of the ransomware.

Other ways of delivery for this ransomware are social networks and file sharing services, which may contain malicious attachments and files related to the Sanction ransomware. The files can be introduced to you as ones you need or something useful. Visiting untrusted websites and clicking links that are suspicious can lead to an infection from this malware as well. If a file is downloaded to your PC, know that your computer might be compromised and remotely accessed from a Trojan horse.

Sanction Ransomware – Technical Information

The Sanction malware is classified by researchers as a ransomware. When your computer is infected an executable or type of batch file is created, and the ransomware could make new entries in the Windows Registry for endurance.

The executable can have a different name on different computers and be generated at random. Modifications in the Windows Registry are usually created in the following registry entries:

HKLM/Software/Microsoft/WindowsNT/CurrentVersion/Winlogon/Shell

and

HKLM/Software/Microsoft/Windows/CurrentVersion/Run/

Unfortunately, that can make the ransomware load automatically with each start of the Windows operating system.

Afterward, the ransomware creates a file with a name, similar to HOW_TO_DECRYPT.HTML which has the ransom message inside. Here you can view how that file looks:

SensorsTechForum-sanction-ransomware-ransom-message-note

The instructions in it of how the ransom can be paid are always the same:

Your unique GUID for decrypt: j43as8fk-29gp-61da-3671-h03c83472r74
Send me some 3 bitcoin on adress: 1HTeqoW6HKPxxn5y7HrjeQNaLJTa7LxKC
After confirming the payment, all your files can be decrypted.
If you do not make payment within 3 days, you will lose the ability to decrypt them.
Make your Bitcoin Wallet on: https://www.coinbase.com/ or http://blockchain.info
How to buy /sell and send Bitcoin :
1)https://support.coinbase.com/customer/en/portal/topics/796531-payment-method-verification/articles
2)https://support.coinbase.com/customer/en/portal/topics/601090-buying-selling-bitcoin/articles
3)https://support.coinbase.com/customer/en/portal/topics/601112-sending-receiving-bitcoin/articles

After the payment, enter the wallet from which paid, and email, in which contact you.
After receiving the payment, we will contact you.

You are asked to pay 3 Bitcoins within 3 days. When writing this article, that amounts to 1248 US dollars.

Contacting the ransomware makers with the intention of paying the ransom money is NOT advised. Absolutely no guarantee exists that you will have your files unlocked and restored. Paying ransomware creators is also considered the same as supporting their criminal activity. That could encourage them to make an even tougher version of the malware.

The Sanction ransomware searches files for encryption with files found on your Disk drives. Files that can be encrypted have these extensions:

→.odc, .odm, .odp, .ods, .odt, .txt, .pdf, .psd, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .jpeg, .jpg, .png, .bmp, .csv, .sql, .mdb, sln, .asp, .aspx, .html, .xml, .php

After the encryption process is complete, encrypted files have the .Sanction extension. The encryption method used is suspected to be RSA-256 bit. Researcher Fabian Wosar of EMSIsoft has found that the cyber-criminals used the Hidden Tear’s project as a foundation for their ransomware.

For now, it is not known if Shadow Volume Copies are deleted from Windows. After the removal of the ransomware, you should check the fourth part of the instructions provided below, containing a few ways for restoring your files you could try.

Remove Sanction Ransomware and Restore .Sanction Encrypted Files

If you were infected by the Sanction ransomware, you should have a little bit of experience in removing malware. The ransomware can lock all of your files if you don’t act fast. So it is highly recommended that you are quick and follow the step-by-step instructions given below.

Manually delete Sanction from your computer

Note! Substantial notification about the Sanction threat: Manual removal of Sanction requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Sanction files and objects.
2. Find malicious files created by Sanction on your PC.
3. Fix registry entries created by Sanction on your PC.

Automatically remove Sanction by downloading an advanced anti-malware program

1. Remove Sanction with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Sanction in the future
3. Restore files encrypted by Sanction
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.