Sadogo Ransomware
The Sadogo Ransomware is a new file-locking Trojan that malware analysts spotted in April 2020. This threat does not appear to belong to any of the major ransomware families but may be related to the KPOT Stealer. The Sadogo Ransomware seems to target English-speaking users but is likely to be propagated worldwide.
Sadogo gets inside computers through various attack vectors and encrypts data. Users are unable to access their files and use their computer properly. Like other kinds of ransomware, Sadogo demands a ransom payment in order for victims to get their data back safe and sound.
Table of Contents
Propagation and Encryption
Many authors of ransomware threats use a variety of distribution methods to spread their threatening creations. Some of the most commonly utilized infection vectors are misleading advertisements, torrent trackers, mass spam email campaigns, illicit activation tools for popular software, pirated copies of widely used applications, etc. Therefore, PC users are advised to be very careful when opening emails from unknown sources and avoid downloading pirated content as it is not worth the risk. The Sadogo Ransomware would sneak into your computer, scan your data and locate your files. This data-encrypting Trojan is likely programmed to target a wide array of filetypes to ensure maximum damage to the system. Naturally, the more files the Sadogo Ransomware locks, the more likely it is the user to contemplate paying the ransom fee demanded by the attackers. Once a file undergoes the encryption process of the Sadogo Ransomware, its filename will be altered. This is because the Sadogo Ransomware appends a '.encrypted' extension at the end of the filenames of the locked files. For example, a file that you named 'honey-locks.jpeg' will be renamed to 'honey-locks.jpeg.encrypted.'
The Ransom Note
To inform the user what has happened to their files and provide them with instructions on completing the payment, the Sadogo Ransomware would drop a ransom note on the victims' computers. The ransom note's name is 'readme.txt.' The attackers urge the user to download the Tor browser, which is the only one that would allow them to access the Dark Web. Next, the authors of the Sadogo Ransomware provide a Tor-based page where the user can pay the ransom fee. Each affected user has a unique victim ID generated for them to help the attackers differentiate between the victims.
The note reads as follows:
Dear user! Your computer is encrypted!
To decrypt your computer, you need to download the TOR browser at https://www.torproject.org/download/
Install it and visit our website for further action http://reco3zanpd2ijycv.onion/
Your id: daa1938***
As you can see, the note only contains the contact information of the criminals. The note doesn’t include specific details about the size of the ransom, but reports have come in that it can reach up to $1,500. That’s a lot of money for most people. We always recommend against paying the attackers as there is no guarantee they will live up to their end of the bargain. If anything, it is more likely that they will take your money and run.
Victims must open the link provided in the text file in the Tor browser to access the deep web. The website includes a contact form for people to put in their details to connect to the developers. The developers, if they follow through, will respond with the cost of the decryption and how to make the payment. The encryption methods used for ransomware are particularly secure and it is almost impossible to decrypt data without extra help.
How Does Sadogo Ransomware Infect Computers?
Like most ransomware, Sadogo spreads through spam email campaigns and program exploits.
Emails
Cybercriminals exploit their victims by sending out spam emails. The emails have false header information to trick users into believing it comes from a shipping company. The email says that the company in question attempted to deliver a package to you but failed. The emails may also claim that a shipment you made couldn’t be completed for some reason.
Readers are tempted to access the attached file to find out what happened to their package. Once the user accesses the attached file or clicks on the link included with the email, their computer is infected.
Program Exploits
Security researchers have seen ransomware attack victims by exploiting potential vulnerabilities in software programs and computer operating systems. These exploits target the operating system, internet browsers, third-party installations, and Microsoft Office.
How to Protect Your Computer From Sadogo Ransomware
There are several steps you can take to protect yourself and your computer from Sadogo ransomware and other ransomware. The most important thing to do is to avoid opening email attachments and links if you aren’t sure of the source. If in doubt, don’t do it. It’s also worth keeping a robust back-up schedule where you regularly back-up data on your computer. The more copies you have of essential data, the better. That way, even if someone does infect your computer and lock your files away, you can just restore them and get on with your day.
Don’t forget to keep your applications, programs, and operating systems up to date. The constant updates can be overwhelming, but most updates are issued to patch exploits that viruses use to infect computers. Keep your computer up to date, and you’ll have a lot less to worry about in terms of viruses, malware, and ransomware.
Important information. Don’t forget to remove the virus from your computer first so that your data isn’t just infected again right away.
