Sad Ransomware

Sad Ransomware can encipher both personal and program data, which makes the threat even more dangerous compared to ransomware applications that target only user’s files. The malware locks data with a strong cryptosystem to take it as a hostage and then demands the user pay a ransom to receive decryption tools. Currently, the amount they wish to receive is 0.3 BTC, which at the moment of writing is approximately two thousand US dollars. No doubt, paying such a large sum is a considerable risk since there are no guarantees the malicious application’s creators will provide the user with promised decryption tools. This is why our specialists do not advise paying the ransom. If you would not like to gamble with such a huge sum, you should ignore the presented ransom note and eliminate Sad Ransomware. To explain the removal process, we will be placing deletion instructions just a bit below the article.

It is not yet known how the malware enters the system, but our specialists believe it is most likely Sad Ransomware gets in through infected Spam email attachments, malicious software installers, other suspicious files downloaded from the Internet, and so on. After the malicious application’s installer is launched, it should create a couple of copies of itself called Picture.exe and tGVkDTIb.exe in the %HOMEDRIVE% and %TEMP% directories. Then it should begin the encryption process by locating files on the %PROGRAMFILES%, %PROGRAMFILES(x86)%, %USERPROFILE%, %PUBLIC%, and possibly the listed directories’ subfolders.

Once it is ready, the malware should encipher each file located in the mentioned folders with the AES-256 encryption algorithm. Also, the targeted files should be appended a unique additional extension, for example, picture.jpg. 23E4BF90D84AE56184E38BB4E00FCD38B0F5F10B07F5513DAA27E87D4359C814. It is not just some code from random characters; it is your unique ID number necessary for the hackers to be able to recognize your computer and the decryption key that is also created for each infected computer individually. This means the extension placed at the end of all encrypted files should differ for each user who encounters Sad Ransomware.

Furthermore, after the encryption process takes place, the malware should drop a few files providing the victims with the ransom note on their Desktop: _HELPME_DECRYPT_.png, _HELPME_DECRYPT_.html, _HELPME_DECRYPT_.txt, and _HELPME_DECRYPT_.hta. Some of the mentioned files carry a short message and other display a full ransom note that explains how to make the payment in detail. Apparently, Sad Ransomware’s creators have even created a platform to make the paying process more comfortable for the user. Plus, the note should offer various links for additional information about the used cryptosystem, Bitcoins, and so on. According to our researchers, it even provides an email address and asks users to contact the hackers if they “have any questions.”

Needless to say, the helpful and friendly tone you can sense in the ransom note is merely to convince you to pay the ransom and make an impression nothing can go wrong. On the contrary, many things could go wrong and leave you with no decryption tools and with smaller savings. First of all, the threat’s creators could lose connection to the server they might be storing decryption keys. Not to mention, they might not bother to send the promised decryptions tools since the user cannot get his money back anyway. This is why we advise you to think carefully before you make up your mind and if you do not think you can risk losing the amount Sad Ransomware’s developers want you to pay, you should think about the infection’s removal.

Erasing all data belonging to the malicious application one by one would allow you to get rid of the threat manually. The instructions located below the text are here to help users make this process easier. Still, if you review these steps and you are still not convinced you can eliminate the malware on your own, we recommend installing a reliable antimalware tool instead. Then all you would have to do is perform a system scan and click the removal button. As for encrypted data, the infection’s deletion will not restore it, but once it is gone, you can safely recover it from backup copies if you have any.

Remove Sad Ransomware

1. Press Ctrl+Alt+Delete.
2. Go to the Task Manager.
3. Find the malware’s process.
4. Mark this process and click End Task.
5. Exit Task Manager.
6. Tap Win+E.
7. Navigate to:
   %TEMP%
   %USERPROFILE%\desktop
   %USERPROFILE%\downloads
8. See if you can find the malicious program’s installer.
9. Right-click the suspicious file and press Delete.
10. Then go to %HOMEDRIVE%
11. Select a file called Picture.exe, right-click it and press Delete.
12. Access the %TEMP% directory again.
13. Find and erase files titled tGVkDTIb.exe and id.txt.
14. Navigate to your Desktop again.
15. Delete the following data:
    _HELPME_DECRYPT_.png
    _HELPME_DECRYPT_.html
    _HELPME_DECRYPT_.txt
    _HELPME_DECRYPT_.hta
16. Close File Explorer.
17. Empty your Recycle bin.
18. Reboot the system.