1 of 3
Danger level 7
Type: Trojans
Common infection symptoms:
  • Slow Computer
  • System crashes
  • Slow internet connection
  • Connects to the internet without permission
  • Installs itself without permissions
  • Can't be uninstalled via Control Panel

Sitaram108 Ransomware

Your unprotected computer can become infected with Sitaram108 Ransomware after opening fake emails featuring a malicious file attachment. Once on your PC, it will encrypt most of your files and demand that you pay a ransom to get the decryptor needed to decrypt them. Since we have encountered applications similar to this one, we believe that its developers will demand quite a large sum of money for the decryptor, so you should consider removing this infection instead of complying with their demands. We have acquired a sample of this ransomware and tested it on one of our test computers and in this article we will talk about our findings.

Let us begin with the most crucial information regarding Sitaram108 Ransomware. Our research has shown that it is based on the Crysis ransomware engine, which means that this particular ransomware uses the RSA cryptosystem to encrypt your files. To be more specific, it uses the RSA-2048 key that is very strong, so decrypting the files using universal decryption tools is nearly impossible. Researchers have yet to find vulnerabilities in this ransomware that could help break the encryption, so you can either wait until a proper decryption tool is released or take the risk of paying the ransom only not to receive it in the end.

Testing has shown that Sitaram108 Ransomware is set to encrypt almost all file formats that include .mp3, .zip, .rar, .zip, .tif, .png, .cdr, .psd, .docx, .dotx, .html, .jpeg, and .json, among others in most locations on your computer. However, it should skip directories such as %AppData%, %System32%, %Windows%, and %Temp% because some of the files in these locations are crucial to running the operating system. While encrypting, it will append the files with the .id-B4500000.{sitaram108@aol.com}.xtbl file extension. The extension itself is .xtbl. But, the ransomware is set to include the email address which you have to use to get in touch with the cyber criminals and an ID number used to identify a specific victim and assign the appropriate decryption key.

If you contact the developers, you may be asked to send three random files to them so that they could send the decrypted versions back to you as proof that they mean business. Then, they should demand that you pay the ransom that can vary from 3 BTC ($1728 USD) to 4 BTC ($2305 USD.) Evidently, these are substantial sums of money that may not be worth your files. Therefore, you may want to reconsider paying the ransom, especially since there is no guarantee that you will get the decryptor.

Now let us get into some of the more technical aspects of Sitaram108 Ransomware. Testing has shown that the dropper file can place the malicious executable in several locations. In most cases, it should drop the file in either %WINDIR%\Syswow64 or %WINDIR%\System32, but it can also place it in %ALLUSERSPROFILE%\Start Menu\Programs\Startup, %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup and several other locations. Moreover, it will create a randomly named registry string at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to run the executable on each system boot. Furthermore, it will drop a file called How to decrypt your files.txt which says “To decrypt your data write me to sitaram108@aol.com if you have no responce in 24 hours, write to sitaram108@india.com.” Also, it will drop another file named How to decrypt your files.jpg that is set as the desktop wallpaper. The configured to replace the wallpaper features text similar to that of the How to decrypt your files.txt file.

Unfortunately, if your computer became infected with Sitaram108 Ransomware, then you have two choices: you can take your chances and pay the hefty ransom or refuse to do this and delete it entirely. If you opt to get rid of it, feel free to make use of the removal guide below or download and install SpyHunter, an anti-malware program that will wipe out all traces of this infection.

Delete Sitaram108 Ransomware

  1. Hold down Windows+E keys to open File Explorer.
  2. In the address box, enter the following locations and locate the malicious executable.
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
    • %WINDIR%\Syswow64
    • %WINDIR%\System32
  3. Right-click the executable file and click Delete.
  4. Enter C:\Users\user
  5. Find and delete How to decrypt your files.jpg
  6. Delete How to decrypt your files.txt from the desktop.
  7. Empty he Recycle Bin.

Delete the registry keys

  1. Hold down Windows+R keys to open RUN.
  2. Enter regedit in the box and hit Enter.
  3. Go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. Locate the randomly named string featuring Value data such has %WINDIR%\Syswow64\Payload.exe
  5. Right-click it ad click Delete and click Yes.
  6. Go to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
  7. Find the string BackgroundHistoryPath0 and delete it.
  8. Then, go to HKCU\Control Panel\Desktop
  9. Find the string Wallpaper, right-click it and click Modify.
  10. Erase C:\Users\user\How to decrypt your files.jpg in the Value data line.
  11. Click OK.
  12. Done.
Download Spyware Removal Tool to Remove* Sitaram108 Ransomware
  • Quick & tested solution for Sitaram108 Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.