Sadstory Ransomware

Sadstory Ransomware is a new member of the so-called CryPy ransomware family. Specialists have first detected it at the end of March, 2017, so, at the time of writing, it is not extremely prevalent yet. Of course, we cannot know what will happen in the future. Are you reading this article because you have already become a victim of Sadstory Ransomware? If the answer is positive, read this article till the end. You will not only find more information about this malicious application provided here, but could also erase this ransomware infection manually with your own fair hands after reading the last paragraph. Yes, we are strictly against making payments to cyber criminals behind ransomware infections because this usually does not solve the problem of encrypted files and a computer infection responsible for locking them is not automatically deleted from the system too, which suggests that it can strike again and lock newly-created files anytime. We are sure this is not how you imagine your future.

It does not mean that Sadstory Ransomware acts somehow differently if it is a brand new ransomware infection. Just like other ransomware-type threats do, it starts encrypting users’ files immediately after entering the computer and finding them. These files are not left where they are after the encryption. Sadstory Ransomware places them all into one folder it creates: __SAD STORY FILES__. On top of that, the names of all these encrypted files are changed into a random string of letters and numbers, and their original filename extensions are replaced with a new extension .sad, for example, z1h7NjfVxsxquUC4QWpQ4W7ScpQ54pyzexyf.sad. This makes it impossible to recognize which files have been encrypted by this computer infection and could no longer be opened. In order to tell users what has happened to their files, it creates a file SADStory_README_FOR_DECRYPT.txt (a ransom note) on Desktop. The first sentence of the message found inside this file informs users that all their files have been encrypted “with strong ciphers.” Also, users are told that they can get them back with the help of a decryption program stored on a secret server. In order to get it, users need to write an email to tuyuljahat@hotmail.com or lucifer.fool@yandex.com as soon as possible (the unlock key will be permanently deleted after 96 hours). Of course, nobody is going to give you the decryption tool for free. You will receive payment instructions and have to transfer an indicated amount of money to the developer of Sadstory Ransomware to get it. Sadly, it does not mean that you almost have it in your hands after making a payment. In some cases, cyber criminals do not give users the promised key, thus leaving them without their files and without their money. Paying money is a risky activity, as you can see.

We already know how Sadstory Ransomware acts on users’ computers, so let’s now start the other topic. According to researchers at pcthreat.com, users need to know how Sadstory Ransomware has entered their PCs so that it would be easier for them to protect their computers from similar infections in the future. Most likely, this computer infection is spread through spam emails, more specifically, their attachments. Yes, it pretends to be a decent attachment and strikes only when a user opens it. Unfortunately, there are a number of users who do that even though they are well aware of the fact that spam emails can be dangerous. Most probably, they decide to open those malicious attachments because they look completely harmless and pretend to be something they are not, e.g. important documents, bills, hotel confirmations, etc. Because of these different forms malicious files can take to sneak onto users’ computers, users also need to have a security application enabled on their computers 24/7.

Sadstory Ransomware does not have an autorun, it does not lock the screen, and it does not make any changes in the system registry, so getting rid of this ransomware infection should not be an extremely complicated task to accomplish. If you need some help, you are more than welcome to use our manual removal guide (scroll down to find it). Also, do not forget that all infections can be deleted with reputable automatic scanners too. Unfortunately, they are powerless to decrypt files for you either.

Remove Sadstory Ransomware from your computer

1. Launch the Windows Explorer (tap Win+E simultaneously).
2. Open %LOCALAPPDATA% (type this directory in the URL bar at the top).
3. Locate the file having two extensions there: ReadMe.pdf.exe.
4. Delete it.
5. Remove all malicious files from %USERPROFILE%\Desktop, %USERPROFILE%\Downloads, and %TEMP%.
6. Empty the Recycle bin.