Remove Sanction Ransomware and Restore .Sanction Encrypted Files - How to, Technology and PC Security Forum |

Remove Sanction Ransomware and Restore .Sanction Encrypted Files

Update! Apparently, a new variant of this ransomware has been spotted in the wild. The new variant bears the name of Rush ransomware and encrypts files with a .crashed extension. For more detailed information, take a closer look at the article about Rush ransomware.

There is a SensorsTechForum-sanction-ransomware-ransom-message-note ransomware called Sanction. Its name comes from the extension .Sanction it attaches to encrypted files. For encryption, the ransomware uses an RSA-256 bit algorithm. The ransom asks payment of 3 Bitcoins within the first 72 hours after encryption.

To remove the ransomware and see how to try restoring your files, you should read the article.

Threat Summary

Short DescriptionThe ransomware encrypts files with 256 bit RSA algorithm and demands a ransom for decryption.
SymptomsFiles get encrypted and become inaccessible. A ransom message with instructions for paying the ransom is in a file that appears on your desktop.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Sanction


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Sanction.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Sanction Ransomware – Delivery

Sanction ransomware can be delivered various ways. One is via spam emails which contain an attachment with a malicious file. If that attachment is opened, it will automatically inject malware inside your PC. Malicious code can also hide in the text of the email itself. That signifies that you can be infected only from opening the email, regardless if you opened the attachment. Exploit kits are not used to distribute this variant of the ransomware.

Other ways of delivery for this ransomware are social networks and file sharing services, which may contain malicious attachments and files related to the Sanction ransomware. The files can be introduced to you as ones you need or something useful. Visiting untrusted websites and clicking links that are suspicious can lead to an infection from this malware as well. If a file is downloaded to your PC, know that your computer might be compromised and remotely accessed from a Trojan horse.

Sanction Ransomware – Technical Information

The Sanction malware is classified by researchers as a ransomware. When your computer is infected an executable or type of batch file is created, and the ransomware could make new entries in the Windows Registry for endurance.

The executable can have a different name on different computers and be generated at random. Modifications in the Windows Registry are usually created in the following registry entries:




Unfortunately, that can make the ransomware load automatically with each start of the Windows operating system.

Afterward, the ransomware creates a file with a name, similar to HOW_TO_DECRYPT.HTML which has the ransom message inside. Here you can view how that file looks:


The instructions in it of how the ransom can be paid are always the same:

Your unique GUID for decrypt: j43as8fk-29gp-61da-3671-h03c83472r74
Send me some 3 bitcoin on adress: 1HTeqoW6HKPxxn5y7HrjeQNaLJTa7LxKC
After confirming the payment, all your files can be decrypted.
If you do not make payment within 3 days, you will lose the ability to decrypt them.
Make your Bitcoin Wallet on: or
How to buy /sell and send Bitcoin :

After the payment, enter the wallet from which paid, and email, in which contact you.
After receiving the payment, we will contact you.

You are asked to pay 3 Bitcoins within 3 days. When writing this article, that amounts to 1248 US dollars.

Contacting the ransomware makers with the intention of paying the ransom money is NOT advised. Absolutely no guarantee exists that you will have your files unlocked and restored. Paying ransomware creators is also considered the same as supporting their criminal activity. That could encourage them to make an even tougher version of the malware.

The Sanction ransomware searches files for encryption with files found on your Disk drives. Files that can be encrypted have these extensions:

→.odc, .odm, .odp, .ods, .odt, .txt, .pdf, .psd, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .jpeg, .jpg, .png, .bmp, .csv, .sql, .mdb, sln, .asp, .aspx, .html, .xml, .php

After the encryption process is complete, encrypted files have the .Sanction extension. The encryption method used is suspected to be RSA-256 bit. Researcher Fabian Wosar of EMSIsoft has found that the cyber-criminals used the Hidden Tear’s project as a foundation for their ransomware.

For now, it is not known if Shadow Volume Copies are deleted from Windows. After the removal of the ransomware, you should check the fourth part of the instructions provided below, containing a few ways for restoring your files you could try.

Remove Sanction Ransomware and Restore .Sanction Encrypted Files

If you were infected by the Sanction ransomware, you should have a little bit of experience in removing malware. The ransomware can lock all of your files if you don’t act fast. So it is highly recommended that you are quick and follow the step-by-step instructions given below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share