SARansom Ransomware

The SARansom Ransomware is a generic encryption Trojan that was recognized by malware researchers on August 15th, 2018. The payload is delivered through malspam (corrupted emails) that feature a macro-enabled Microsoft Word file. The attached document installs the SARansom Ransomware in the background if you choose to enable the 'Editing Mode' when loading the file. The SARansom Ransomware Trojan is dropped to the Temp folder and loaded in the system memory as soon as its dependencies are verified on the local disk. The threat is designed to disable the native data recovery features in Windows and encipher targeted documents, video, audio, images, eBooks and databases. The SARansom Ransomware uses custom AES and RSA ciphers to make sure the user's files are not recoverable without the correct decryption key. Affected data containers receive the '.enc' extension and something like 'The Pilot's Love Song.mp4' is renamed to 'The Pilot's Love Song.mp4.enc.' A ransom message is saved to the user's desktop — 'RANSOM_NOTE.txt' — that reads:

'DDON'T PANIC!
Your files have been encrypted.
This most unpleasant situation can be solved, however.
For the low fee of 5 bitcoin (BTC), a decrypting program will be provided.
Bitcoin address for transfer:
1C9KikcqP62DoQowKuotEcBN16mcaijbVw
Send evidence of transfer to: TheLarnersour@gmail.com
A decryption program will be sent once the transfer is complete and verified.'

Do not contact the cybercriminals via the 'TheLarnersour@gmail.com' account. You may be promised that paying the exorbitant fee of 5 Bitcoin (≈32,169 USD/27,835 EUR) would allow you to recover your files, but that is not guaranteed. Removing the SARansom Ransomware should be a priority for affected users. The encryption utilized by the threat is deemed as secure, and you will need to introduce backup copies of your files to resume normal operations. Running a combination of a good backup manager and cybersecurity product in the background is a must if you intend to meet modern cyber threats like SARansom Ransomware and the Scarab-Rent Ransomware. You may want to acquire a portable SSD/HDD that can be used to store your backups without direct access to the Internet and potentially compromised systems. Cloud storage services like Spider Oak may prove viable alternatives if you like to have Web access to your backups at all times.

AV companies mark related files with the following names:

Artemis!E756B5FE175E
Ransom_SAR.THHAFAH
Trojan ( 0053ab421 )
Trojan.Encoder.25853
Trojan.Ransom.REntS.Gen.1
Trojan.Tiggre!8.ED98 (CLOUD)
Trojan/Win32.Ransom.C2656110
W32/Trojan.OJQK-1011
Win32.Trojan.Filecoder.Ajva
Win32/Filecoder.NRT