.Saturn Ransomware Virus (Saturn Decryptor) – Remove + Restore Files

Saturn Ransomware Virus (Saturn Decryptor) – How to Remove and Restore .saturn Files

This article has been created in order to help you by explaining what is Saturn ransomware virus and how to remove it from your computer plus how to try and get back .saturn encrypted files without having to pay ransom.

New ransomware infection has been detected by @malwarehunterteam. The malware aims to encrypt various different types of files on the computer of the victim shortly after which drop a ransom note, named #DECRYPT_MY_FILES#.html and .txt files which aim to get the victim to download TOR anonymous browser and via it access the unique web page where further instructions to pay around $300 dollars in BitCoin are explained. The ransomware virus may also perform other activities on the victim’s PC, such as give a deadline of around a week time, after which the price becomes double. If your computer has been infected by the .saturn files virus, we recommend that you read the following article to learn how to remove it from your computer and how to try and get back .saturn encrypted files without having to pay the ransom.

Images Source: Twitter.com

Threat Summary

NameSaturn Ransomware
TypeRansomware, Cryptovirus
Short DescriptionVariant of BTCWare Ransomware virus family. Saturn ransomware aims to encrypt the files on your computer and asks you to pay around $300 ransom to get them to work again.
SymptomsThe files are encrypted with an added .saturn file extension to them and a #DECRYPT_MY_FILES#.txt and .html ransom notes are dropped on the victim’s PC.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Saturn Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Saturn Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does Saturn Ransomware Infect Victims

The infection process of this ransomware virus is conducted primarily via e-mail connection which aims to spread a malicious file with a random name, such as the one reported at cape.contextis.com, containing the following parameters:

Name: 9e87f069de22ceac029a4ac56e6305d2df54227e6b0f0b3ecad52a01fbade021.bin
Size 346624 bytes
MD5 bbd4c2d2c72648c8f871b36261be23fd
SHA1 77c525e6b8a5760823ad6036e60b3fa244db8e42
SHA256 9e87f069de22ceac029a4ac56e6305d2df54227e6b0f0b3ecad52a01fbade021
SHA512 38f2ff3b7ff6faa63ef0a3200e0dbb9e48e1d404a065f6919cb6d245699479896a42316f299c33c8cc068922934c64f8aa06c88b000d1676870c1d0c0f18e14a

This file is likely spread via either a malicious web link or through an e-mail attachment that mai execute it as a result of triggering malicious macros. If sent by e-mail, cyber-criminals often aim to imitate legitimate companies, like PayPal, eBay, Amazon, AliExpress, FedEx, DHL and other big names. This helps increase potential victims’ trust to click on a malicious link or download an attachment as seen from the image below:

In addition to this, the Saturn ransomware virus may also be spread via fake files that may be uploaded online, posing as:

  • Setups of important programs, like drivers, etc.
  • Game patches or cracks.
  • License activators and cracks or patches.

Saturn Ransomware – What Does It Do

Shortly after it’s installed on your computer, this ransomware virus begins to drop a malicious file on it which scans for sanboxing or other types of protection measures that may prevent it from running and if so, Saturn ransomware deletes the randomly named .bin file. If not however, the virus begins the infection procdure by dropping the following file:

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5zy4hsui.lnk

In addition to this, the Saturn ransomware virus also begins to delete the shadow volume copies and disable system recovery from the victim’s comptuer by executing a script in Windows Command Prompt which runs the following commands as an administrator:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

The next move of the ransomware is to make sure that it’s presence is known by the victim and this happens by dropping the following ransom note files:


Both of the ransom note files, have the following message to victims:

All of your files have been encrypted!
To Decrypt your files follow these steps:
1. Download and install the “Tor Browser” from https://www.torproject.org
2. Run it.
3. In the Tor Browser, open website:
http://{random page}.onion
4. Follow the instructions on the page

After victims manage to open the ransom page, they are presented with the following login screen:

The screen prompts victims to enter their unique identification, which has a primary purpose of identifying them and granting access to the ransom instructions. The ransom instructions on the Onion Browser’s web page are as follows:

Text from image:

Saturn Decryptor Home FAQ Support
All your docu ments, photos, databases and other Important
To restore your files you have to buy a special sottware called ‘Satum Decryptor”
If you pay within 7 days the price will be ~300$ (003086896 BTC)
After 7 days the price will rise to -600$ (006173792 ETC)
Your files will be recoverable tor a month. after that your files are forever gone.
Special price will end in 6 days. 23 hours. 59 minutes.
22 seconds
How to buy Saturn Decryptor
The only payment method we accept is Bitcoin. Below is a step by step guide lor buylng Bitcoins. ll you need any more help contact our support or
search from gooole
l. You have to create a BitcointBTC) wallet.
We recommend the most popular wallet blockchain info or coinbase corn
2. You have to buy some Bitcoins lo your wallet
Buy more than 0.03 bitcoin.
We recommend the following trusted sites to buy bitcoin from (not related to this site in any way)
0 localbincoins com
3. Send 0.03 bitooins to the Bitcoin address below:
4. Walt for tho payment to get conllrmcd.
Retresh the page to see up to date payment stems,
S. Once the payment is confirmed you can download “Saturn Decryptor’.
You will be then automatically redirected tn the download page.
Amount Status
No payment found
Total confirmed

What is interesting is that besides frequently asked questions and customer support, the Saturn ransomware infection also has multi-language support, something which was characteristic for Cerber ransomware.

Saturn Ransomware – Encryption Process

The encryption process of Saturn ransomware is conducted by the virus targeting often used files, such as music, videos, images and other often used files for encryption and then performing the encryption process. The files which are targeted may contain the following file extension:

.1c, .3fr, .accdb, .ai, .arw, .bac, .bay, .bmp, .cdr, .cer, .cfg, .config, .cr2, .crt, .crw, .css, .csv, .db, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .gif, .htm, .html, .indd, .iso, .jpe, .jpeg, .jpg, .kdc, .lnk, .mdb, .mdf, .mef, .mk, .mp3, .mp4, .mrw, .nef, .nrw, .odb, .ode, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pdf, .pef, .pem, .pfx, .php, .png, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .rar, .raw, .rtf, .rw2, .rwl, .sql, .sr2, .srf, .srw, .tif, .wb2, .wma, .wpd, .wps, .x3f, .xlk, .xls, .xlsb, .xlsm, .xlsx, .zip

After the files are encrypted by this virus, they will receive a file extension .saturn and become no longer able to be opened. This is because they are believed to be encoded via the RSA (Rivest-Shamir-Adleman) encryption algorithm. This procedure is done with several different type of encryption modes, generating unique decryption keys for each file. The files may appear like the following after being encrypted by Saturn Ransomware:

Remove Saturn Decryptor Ransomware and Restore Encrypted Files

In order to remove this virus from your computer, we recommend that you follow the removal instructions down below. They are specifically created in order to help you remove the malicious virus files of this malware either manually or automatically. If you lack the experience to perform manual removal of this ransomware, experts advise to download and scan your PC using an advanced anti-malware software. Such will always ensure protection against future intrusions as well.

If you want to try and restore files that have been encrypted by Saturn ransomware, we recommend that you check the alternative file recovery instructions in step “2. Restore files encrypted by Saturn Ransomware” down below. They may not be 100% guarantee you will be able to recover your files, but may surely help you to recover as many files as possible.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share