Saramat Ransomware Removal - Restore .Saramat Files

Saramat Ransomware Removal – Restore .Saramat Files

This article will aid you remove Saramat ransomware effectively. Follow the ransomware removal instructions at the end.

Saramat is the name of a ransomware cryptovirus. Malware researchers have found out that it is a variant of the Conficker ransomware and still based on the HiddenTear open-source project. The virus is coded to put the extension .Saramat to all files that get encrypted. The Saramat virus will demand 0.5 Bitcoin as a ransom, which is nearly 2250 US dollars at the time of writing. Continue to read below to see how you could try to potentially recover your files.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer and displays a ransom message afterward, which looks almost identical to the one of “Conficker” ransomware.
SymptomsThe ransomware will encrypt your files and put the extension .Saramat to them after it finishes the encryption process.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Saramat


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Saramat.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Saramat Ransomware – Infection

Saramat ransomware could spread its infection with various methods. A payload dropper which initiates the malicious script for this ransomware is being spread around the World Wide Web, and researchers have gotten their hands on a malware sample. If that file lands on your computer system and you somehow execute it – your computer system will become infected. You can see the detections of such a file on the VirusTotal service below:

The Saramat ransomware might also deliver its payload file on social media and file-sharing services. Freeware which is found on the Web can be presented as helpful also be hiding the malicious script for the cryptovirus. Refrain from opening files right after you have downloaded them. You should first scan them with a security tool, while also checking their size and signatures for anything that seems out of the ordinary. You should read the tips for preventing ransomware found in the forum section.

Saramat Ransomware – In-Depth

Saramat is a virus that encrypts your files and demands you to pay a ransom sum to get them decrypted. Malware researchers have discovered that it is a variant of the Conficker ransomware, but its code is based on the HiddenTear open-source project.

Saramat ransomware could make entries in the Windows Registry for achieving persistence, and could launch or repress processes in a Windows environment. Such entries are typically designed in a way to launch the virus automatically with each start of the Windows operating system.

That ransom note can be seen from the following two files:

  • Decrypt.txt
  • img.jpg

The note seen from the img.jpg file:

It reads the following:

Welcome To My Ransomware!
Attention! Attention! Attention!
Your Files has been encrypted By :
for decrypt your files
Send 0.5 Bitcoin To
And Contact us By Email :

However, the only message left inside the Decrypt.txt file is this one:

All Your Important Files Are Encrypted By Sarmat Ransomware

The note of the Saramat ransomware looks almost identically to the one of Conficker ransomware as seen above in the snapshot. The message states that your files are encrypted. The ransom given as payment for potentially unlocking your data is 0.5 BitCoin which equates to 2250 US dollars at the time of writing. However, you should NOT under any circumstances pay that ransom sum. Your files may not get recovered, and nobody could guarantee their restoration. Furthermore, giving money to cybercriminals will most likely motivate them to create more ransomware viruses or even commit other criminal acts.

Saramat Ransomware – Encryption

Although Saramat ransomware is a HiddenTear variant it seeks to encrypt files with the following extensions:

→.7z, .7Z, .amv, .asp, .aspx, .avi, .BAT, .bmp, .c, .csv, .dll, .doc, .docx, .exe, .Exe, .exe, .fla, .flv, .gif, .GIF, .gz, .html, .icns, .ico, .iso, .iso, .jar, .jpg, .JPG, .mdb, .midi, .mov, .mp3, .mp3, .mp4, .mpg, .mpv, .mtv, .odt, .ogg, .pbm, .pdf, .pdf, .php, .png, .png, .PNG, .ppt, .pptx, .psd, .rar, .RAR, .rtf, .rv, .rvx, .sln, .sql, .sql, .tar, .txt, .TXT, .ved, .wm, .wma, .wma, .wmv, .wmv, .xls, .xlsx, .xml, .xwmv, .zip

Every single file that gets encrypted will receive the same extension appended to it, which is .Saramat. The encryption algorithm which is implemented is probable to be AES since most ransomware viruses which are HiddenTear forks use exactly that algorithm.

The Saramat cryptovirus could be set to erase all the Shadow Volume Copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

Note, that if the above-stated command is executed that will make the encryption process more efficient as the end result is to eliminate one of the prominent ways for data recovery. In case your computer system was infected with this ransomware and your files get locked, keep on reading to find out how you might potentially restore some of your files.

Remove Saramat Ransomware and Restore .Saramat Files

If your computer got infected with the Saramat ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share