Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


.Sad File Virus Remove and Restore Data

Article created to assist with information and instructions on how to remove SADStory ransomware and try to decrypt .sad encrypted files.

A new ransomware written in Python has been reported to encrypt the files on the computers infected by it and then leave them with the .sad file extension. The files cannot be opened after encryption is complete and the virus leaves behind a SADStory_README_FOR_DECRYPT.txt file which is a ransom note with instructions, extorting users to pay a ransom fee in 96 hours. If a ransom is not paid, the cyber-criminals threaten to destroy any decryption possibility. If you have become a victim of the .sad ransomware virus, we recommend reading the following article to remove it and restore files encrypted by this virus.

Threat Summary

Name

SADStory

Type Ransomware
Short Description The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
Symptoms The user may witness ransom notes and “instructions”, called SADStory_README_FOR_DECRYPT.txt linking to contacting the cyber-criminals. Changed file names and the file-extension .sad has been used.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by SADStory

Download

Malware Removal Tool

User Experience Join our forum to Discuss SADStory.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Sad Ransomware Virus – How Does It Infect

For the infection process of this ransomware to succeed, the cyber-criminals behind it may use more than one distribution techniques. One of the techniques that might be used by the creators of the virus is to utilize a database of fake e-mails in order to send out massive spam messages to victims. These messages may be automatically sent out via spam bot that controls the sender accounts.

The e-mails sent distributing SADStory ransomware may aim to convince the victims into opening a malicious e-mail attachment or clicking on a web link. To do this, multiple convincing statements may be explained, that raise importance. The spammers may trick you that a purchase has been made on your name and they may even use the name of your e-mail account to further increase the trust and likelihood of you opening the attachment. The attachments are usually pretending to be invoice files as well as different files that are account activity documents and confirmation letters.

Besides this form of spam, there may be several other methods by which the .sad file virus may cause an infection:

  • Via fake installers uploaded on shady websites.
  • If corrupted game patches or cracks are uploaded from hacked torrent accounts on legitimate torrent websites.
  • By malicious browser redirects caused by PUAs(Potentially Unwatned Applications) installed suspiciously on the victim PC.

Whatever the case may be, once a victim clicks on a malicious infection object, the virus may be activated in an obfuscated mode, without being detected. Then, shortly after, a connection may be made to one or more of the following hosts:

  • wayofwines.com/ReadMe.php
  • www.lilywho.ie
  • ow.ly/{customURL}

After this, the payload of the .sad file virus may be downloaded on the computer of the user. The payload consists of the following files:

  • mw.exe located in the %TEMP% directory
  • {random name}.pdf.exe
  • ReadMe-how_to_get_free_office365-{uniqueID}.pdf.exe
  • _SAD STORY FILES_

The dropped files may be located in multiple Windows directories such as:

  • %AppData%
  • %Local%
  • %Temp%
  • %Roaming%
  • %LocalRow%
  • %Documents%

.Sad File Virus – Infection Activity

After infecting the computer, the SADStory ransomware may begin to shut down certain system processes on the infected machine. Then, the virus may also run some commands in Windows Command prompt. The commands may change certain settings on the infected machine, allowing file encryption to commence while uninterrupted. Some of those commands usually are:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

In addition to modifying settings via the Windows Command prompt, the virus may also change settings by adding registry values with custom data in them in some Windows Registry Sub-keys. Among the attacked sub-keys may be the following:

→ HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

After having done this, the virus may also drop it’s ransom note in the %Startup% directory of Windows, allowing it to automatically open on system startup. The note is named SADStory_README_FOR_DECRYPT.txt and has the following content embedded within it:

The e-mail address used for contact, interestingly enough is the same address that is being utilized for the previously released Mireware and KimcilWare ransomware viruses.

SADStory Ransomware – Encryption Process

For the encryption process, the .sad file virus may cause a system restart by displaying a false error message. After the restart, the virus may be set to append one or more encryption algorithms in a pre-configured encryption mode. It usually looks for the widely used file types such as:

  • Documents.
  • Images.
  • Videos.
  • Audio files.
  • Database files.

Among the file types encrypted by the .Sad ransomware virus may be the following:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

For the encryption process, bytes of the files which are original are replaced with the same information, but in the encrypted algorithm’s symbols. This makes the files no longer able to be opened after it. To the files is also appended a file extension, distinctive to the SADStory virus – .sad. They may look like the example image below:

The virus may then connect to a remote host and send unique decryption keys to the cyber-criminals behind it. The virus also may remain active on the infected computer and delete a random file from the infected computer every 6 hours.

Remove SADStory Ransomware and Restore .sad Encrypted Files

Befoe the removal of SADStory ransomware, the first thing we advise you to do is to back up the encrypted files immediately after the infection. This is primarily because the virus deletes a file every 6 hours.

Then, to remove the .sad file virus, recommendations are to follow the removal instructions under this article. They are designed to help isolate and delete files belonging to this virus in methodological order that is advisable. Also, if you do not have the experience in following the manual instructions, malware researchers strongly advise using an advanced anti-malware program which will automatically take care of the removal process for you and protect the computer in the future as well.

After the removal of the .sad file ransomware is done, it is time to think on what are your alternatives to get back the files, instead of having to pay the ransom. We have posted several suggestions on methods with which you can recover your files, located in step “2. Restore files encrypted by SADStory” below. These may not be 100 percent effective, but they might also help recover some encoded files. In the meantime we also advise following this web page, because we will update it as soon as malware researchers have a breakthrough regarding free decryption.

Manually delete SADStory from your computer

Note! Substantial notification about the SADStory threat: Manual removal of SADStory requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove SADStory files and objects
2.Find malicious files created by SADStory on your PC

Automatically remove SADStory by downloading an advanced anti-malware program

1. Remove SADStory with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by SADStory
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.