.Sad File Virus Remove and Restore Data - How to, Technology and PC Security Forum | SensorsTechForum.com

.Sad File Virus Remove and Restore Data

Article created to assist with information and instructions on how to remove SADStory ransomware and try to decrypt .sad encrypted files.

A new ransomware written in Python has been reported to encrypt the files on the computers infected by it and then leave them with the .sad file extension. The files cannot be opened after encryption is complete and the virus leaves behind a SADStory_README_FOR_DECRYPT.txt file which is a ransom note with instructions, extorting users to pay a ransom fee in 96 hours. If a ransom is not paid, the cyber-criminals threaten to destroy any decryption possibility. If you have become a victim of the .sad ransomware virus, we recommend reading the following article to remove it and restore files encrypted by this virus.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions”, called SADStory_README_FOR_DECRYPT.txt linking to contacting the cyber-criminals. Changed file names and the file-extension .sad has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by SADStory


Malware Removal Tool

User ExperienceJoin our forum to Discuss SADStory.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Sad Ransomware Virus – How Does It Infect

For the infection process of this ransomware to succeed, the cyber-criminals behind it may use more than one distribution techniques. One of the techniques that might be used by the creators of the virus is to utilize a database of fake e-mails in order to send out massive spam messages to victims. These messages may be automatically sent out via spam bot that controls the sender accounts.

The e-mails sent distributing SADStory ransomware may aim to convince the victims into opening a malicious e-mail attachment or clicking on a web link. To do this, multiple convincing statements may be explained, that raise importance. The spammers may trick you that a purchase has been made on your name and they may even use the name of your e-mail account to further increase the trust and likelihood of you opening the attachment. The attachments are usually pretending to be invoice files as well as different files that are account activity documents and confirmation letters.

Besides this form of spam, there may be several other methods by which the .sad file virus may cause an infection:

  • Via fake installers uploaded on shady websites.
  • If corrupted game patches or cracks are uploaded from hacked torrent accounts on legitimate torrent websites.
  • By malicious browser redirects caused by PUAs(Potentially Unwatned Applications) installed suspiciously on the victim PC.

Whatever the case may be, once a victim clicks on a malicious infection object, the virus may be activated in an obfuscated mode, without being detected. Then, shortly after, a connection may be made to one or more of the following hosts:

  • wayofwines.com/ReadMe.php
  • www.lilywho.ie
  • ow.ly/{customURL}

After this, the payload of the .sad file virus may be downloaded on the computer of the user. The payload consists of the following files:

  • mw.exe located in the %TEMP% directory
  • {random name}.pdf.exe
  • ReadMe-how_to_get_free_office365-{uniqueID}.pdf.exe

The dropped files may be located in multiple Windows directories such as:

  • %AppData%
  • %Local%
  • %Temp%
  • %Roaming%
  • %LocalRow%
  • %Documents%

.Sad File Virus – Infection Activity

After infecting the computer, the SADStory ransomware may begin to shut down certain system processes on the infected machine. Then, the virus may also run some commands in Windows Command prompt. The commands may change certain settings on the infected machine, allowing file encryption to commence while uninterrupted. Some of those commands usually are:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

In addition to modifying settings via the Windows Command prompt, the virus may also change settings by adding registry values with custom data in them in some Windows Registry Sub-keys. Among the attacked sub-keys may be the following:

→ HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\

After having done this, the virus may also drop it’s ransom note in the %Startup% directory of Windows, allowing it to automatically open on system startup. The note is named SADStory_README_FOR_DECRYPT.txt and has the following content embedded within it:

The e-mail address used for contact, interestingly enough is the same address that is being utilized for the previously released Mireware and KimcilWare ransomware viruses.

SADStory Ransomware – Encryption Process

For the encryption process, the .sad file virus may cause a system restart by displaying a false error message. After the restart, the virus may be set to append one or more encryption algorithms in a pre-configured encryption mode. It usually looks for the widely used file types such as:

  • Documents.
  • Images.
  • Videos.
  • Audio files.
  • Database files.

Among the file types encrypted by the .Sad ransomware virus may be the following:


For the encryption process, bytes of the files which are original are replaced with the same information, but in the encrypted algorithm’s symbols. This makes the files no longer able to be opened after it. To the files is also appended a file extension, distinctive to the SADStory virus – .sad. They may look like the example image below:

The virus may then connect to a remote host and send unique decryption keys to the cyber-criminals behind it. The virus also may remain active on the infected computer and delete a random file from the infected computer every 6 hours.

Remove SADStory Ransomware and Restore .sad Encrypted Files

Befoe the removal of SADStory ransomware, the first thing we advise you to do is to back up the encrypted files immediately after the infection. This is primarily because the virus deletes a file every 6 hours.

Then, to remove the .sad file virus, recommendations are to follow the removal instructions under this article. They are designed to help isolate and delete files belonging to this virus in methodological order that is advisable. Also, if you do not have the experience in following the manual instructions, malware researchers strongly advise using an advanced anti-malware program which will automatically take care of the removal process for you and protect the computer in the future as well.

After the removal of the .sad file ransomware is done, it is time to think on what are your alternatives to get back the files, instead of having to pay the ransom. We have posted several suggestions on methods with which you can recover your files, located in step “2. Restore files encrypted by SADStory” below. These may not be 100 percent effective, but they might also help recover some encoded files. In the meantime we also advise following this web page, because we will update it as soon as malware researchers have a breakthrough regarding free decryption.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share