SADStory Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 4 |
| First Seen: | March 28, 2017 |
| Last Seen: | April 11, 2022 |
| OS(es) Affected: | Windows |
Malware analysts have observed threat attacks linked to a group producing low-quality threats that are calling themselves 'Mafia Malware Indonesia.' This group has claimed responsibility for various threat attacks, including the SADStory Ransomware. The SADStory Ransomware is a ransomware Trojan that is designed to infect computers, encrypt files, and ask for the payment of a ransom from the victim.
Table of Contents
The SADStory Ransomware and Other Mafia Malware Indonesia Creations
The group responsible for the SADStory Ransomware was first observed in March 2016 after various attacks targeting online retailers using Magento to came to light. These attacks had been associated with the email address 'tuyuljahat@hotmail.com.' Tracking this email address has been a way for PC security researchers to follow the activities of the group responsible for the SADStory Ransomware since it seems that they are careless enough to use this email address repeatedly which, just by being located in a public email service rather than on the Dark Web or more anonymous service, is a security flaw that could help PC security researchers track the activities related to the SADStory Ransomware. The SADStory Ransomware, like other ransomware Trojans released by this group, seems to be based on the Hidden Tear open source ransomware engine. A flaw in this project, fortunately, has allowed PC security researchers sometimes to be capable of recovering the files encrypted in the attack.
The SADStory Ransomware’s Attack and Ransom Demand
The SADStory Ransomware encrypts its victim's files using the Hidden Tear encryption method, which combine the AES and RSA encryptions. The SADStory Ransomware drops its ransom note in the form of a text file named 'SADStory_README_FOR_DECRYPT.txt' on the victim's desktop. The SADStory Ransomware displays the following ransom note in this text file:
'! ! ! WARNING ! ! !
All your files are encrypted by SADStory with strong chiphers.
Decrypting of your files is only possible with the decryption program, which is on our secret server.
All encrypted files are moved to __SAD STORY FILES__ directory and renamed to unique random name.
Note that every 6 hours, a random file is permanently deleted. The faster you are, the less files you will lose.
Also, in 96 hours, the key will be permanently deleted and there will be no way of recovering your files.
To receive your decryption program contact one of the emails:
1. tuyuljahat@hotmail.com
2. lucifer.fool@yandex.com
Just inform your identification ID and we will give you next instruction.
Your personal identification id: -'
In March 2017, a full year after these first attacks, it seems that this threat family has returned and, curiously, the SADStory Ransomware uses the Hotmail email address used in the initial attack. This email address has already been used in three different attacks. However, none of the most recent threat creations in this threat family have been capable of infecting computer users in the real world. Apart from this, due to a flawed implementation of the Hidden Tear ransomware engine, PC security researchers are confident that the files encrypted in the SADStory Ransomware attack can be recovered in many cases. Overall, it is clear that the people responsible for the SADStory Ransomware attacks are not skilled or experienced particularly, lacking the resources to carry out high-profile ransomware campaigns as seen with other players in the ransomware landscape.
Protecting Your Computer from Threats Like the SADStory Ransomware
PC security researchers strongly advise computer users to install a reliable security program that is fully up-to-date. This can help intercept attacks like the SADStory Ransomware before they carry out their encryption routines. Most importantly, it is essential to have file backups. If computer users have backup copies of their files, then the people responsible for attacks like the SADStory Ransomware lose any power they have over the victim, since the victim can recover the affected files from a backup after deleting the encrypted copies easily.
SpyHunter Detects & Remove SADStory Ransomware
File System Details
| # | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
|---|---|---|---|
| 1. | file.exe | 22b66d1928db181ac6e6d6af7ea6bd8f | 2 |
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.