Sarut Ransomware

Our researchers are learning about new variants of the infamous STOP Ransomware every single day. Sarut Ransomware is the latest variant to join the party. There is no doubt that the cybercriminal behind this infection has created a bunch of other variants from this family, but it is also possible that it has been the same attacker standing behind all variants all along. Whether or not that is the case, we cannot guarantee yet, but that is a possibility. A few other clones we can mention are Ooss Ransomware, Nppp Ransomware, Righ Ransomware, and Remk Ransomware. The names of these threats are usually made up of random four-letter combinations that do not mean a thing. There are thousands of combinations that can be made, and unfortunately, there are also hundreds of variants already. You need to delete them all, and while we recommend reading reports that are created for every single variant, you should be able to remove Sarut Ransomware just like any other clone.

Although our researchers are familiar with the structure of the malicious Sarut Ransomware, how this dangerous infection spreads is still quite mysterious. We know that spam emails, bundled downloaders, and RDP vulnerabilities are used in most cases, but we cannot tell you which email addresses or software download websites you should look out for. If you want to be completely safe, it is best to delete all spam emails and take a very critical look at emails that are at least a little bit suspicious. While you can open any email without executing threats, opening file attachments or links included in the messages can be very dangerous. If you are not careful, Sarut Ransomware can slither in and encrypt your personal files within moments. Afterward, you should find the “.sarut” extension appended to the files’ names. This extension is used as a marker only, and there is no reason to delete it. Ransomware files, on the other hand, need to be removed. These include a ransom note file called “_readme.txt” in %HOMEDRIVE%, a file with an ID code inside called “PersonalID.txt” in %HOMEDRIVE%\SystemID\, and an .exe file with a random name in %LOCALAPPDATA%\[random name] folder.

The most important file that Sarut Ransomware drops is the ransom note file because it explains to the victims what they supposedly need to do to get their files decrypted. The note promises that if the victim contacts the attackers via email (vengisto@firemail.cc or gorentos@bitmessage.ch) or Telegram (@datarestore) and then pays a ransom of $490, a decryptor will be sent to them. That will not happen. Once you contact the attackers and pay the ransom, you will be stuck in the same position that you were before the payment, but you will have less money, and your inbox is likely to be flooded with new spam emails. In most cases, file-encrypting ransomware is undecipherable, and victims feel pressure to take risks. That is not the case with Sarut Ransomware. A free tool named ‘Stop Decryptor’ was built by malware researchers, and you might be able to decrypt all files using it. Of course, in the best-case scenario, you do not need to pay for anything or install anything because you have copies of personal files and you can use them to replace the corrupted ones.

We cannot guarantee that you will be able to delete Sarut Ransomware manually because some of the components that belong to this malware have unique names. If you are able to identify and erase all malicious files, you still need to think about your virtual security. Are you able to protect it against ransomware and other kinds of threats in the future? If you cannot protect your system or if you cannot remove Sarut Ransomware manually, why not install a legitimate anti-malware program? It will automatically erase all malware files and, at the same time, secure the system to prevent new infections from slithering in. After that is taken care of, hopefully, you can use backups or a free tool to replace/recover files. Once all is back to normal, do not resume your normal activities as if nothing happened. You must have opened the wrong email, downloaded the from file, or left your system unprotected. If you want to make sure that these backdoors cannot be used to attack your system again, do not open them.

Sarut Ransomware Removal

1. Access the %HOMEDRIVE% directory.
2. Delete the file called _readme.txt and a folder called SystemID.
3. Access the %LOCALAPPDATA% directory.
4. Delete the folder with a long random name (e.g., 0115174b-bd55-4caf-a89a-d8ff8132151f).
5. Empty Recycle Bin.
6. Install a legitimate malware scanner to inspect your system for leftovers.

N.B. To access directories, launch File Explorer (Win+E) and enter the directory into the quick access field.