Sarut Ransomware

What is Sarut Ransomware?

You might be unable to pinpoint the moment that the devious Sarut Ransomware slithered into your operating system, but if that is what has happened, you must have discovered that your personal files were encrypted. That means that the data was ciphered, and now you cannot read the files. Unfortunately, cybercriminals have found a way to encrypt your own documents, photos, and other kinds of personal files, and they are doing that to extort money. The goal is to make you pay a ransom in return for a decryptor that, allegedly, could restore all files. Isn’t that convenient? The attackers encrypt files and then offer a decryption tool in return for some money. Unfortunately, offers and promises made by cybercriminals cannot be trusted. If you succumb to their demands, you will waste $490 (or $980), and your files will remain encrypted. What if you delete Sarut Ransomware? Will your files be restored then? Unfortunately, that is not how file-encryptors work. That being said, the removal of this infection is crucial.

How does Sarut Ransomware work?

According to our experts in the Anti-Spyware-101.com internal lab, Sarut Ransomware is a clone of STOP Ransomware. This infection is the original threat that was first discovered several years ago. Since its emergence, hundreds of clones have come up as well, including Ooss Ransomware, Nppp Ransomware, and Righ Ransomware. All of these threats look and work the same, and while that is mostly because they were created using the same malware code, it is also likely that the same attackers have released all variants. We are making this connection because of the email addresses that are included in the ransom notes that are dropped by these infections. We have seen a bunch of interchangeable email addresses, and many of them repeat throughout the ransom notes that belong to different variants. Other than that, the only difference between Sarut Ransomware and its clones can be seen in the extension that is appended to the files that are corrupted. This specific threat adds the “.sarut” extension.

All STOP Ransomware clones drop a file named “_readme.txt.” The message inside is always the same, but the email addresses listed at the bottom, as we mentioned already, can change. Sarut Ransomware introduces vengisto@firemail.cc and gorentos@bitmessage.ch email addresses. It also adds a Telegram contact (@datarestore), which seems to be a new development. The attackers want you to contact them so that they could instruct you to pay a ransom of $490. The original ransom note explains that only if you pay the ransom can you obtain a decryptor that supposedly can restore all files. However, payment details are not revealed. So, if you are thinking about paying the ransom, you might think that you have no other option but to initiate communication with the attackers. Of course, we do not recommend doing that because the attackers can flood you with misleading emails, and you are unlikely to get a decryptor in return. The good news is that a free STOP Decryptor exists, and it might help you with the encryptor of Sarut Ransomware as well. If that does not work, perhaps you can replace the corrupted files with copies stored outside the computer after you remove the malicious infection?

How to delete Sarut Ransomware

Sarut Ransomware is a dangerous infection because it encrypts personal files. The decryptor offered by the attackers is bogus, and we cannot guarantee that all victims will be able to employ the free STOP Decryptor successfully. If backup copies exist outside the infected computer, they can be used to replace the encrypted files, but not all users will have copies. If all fails, you lose the encrypted files. Hopefully, this does not happen again because you take care of your system’s protection immediately. We advise installing legitimate anti-malware software that will ensure that your entire operating system is guarded 24/7. Of course, you must do your part as well. Whether you remove Sarut Ransomware manually or using an automated tool, you also need to remove the backdoors that could have led to the invasion of this threat. That means that you should not visit unreliable websites, download from unreliable sources, open strange emails, or postpone system updates. Also, do not forget to ALWAYS back up personal files to ensure that copies exist just in case.

Removal Instructions

1. Delete recently downloaded files that could be malicious.
2. Tap keys Win+E to access File Explorer and then enter %HOMEDRIVE% into the field at the top.
3. Delete the _readme.txt file and the SystemID folder with PersonalID.txt inside.
4. Enter %LOCALAPPDATA% into the field at the top.
5. Delete the {random name} folder that contains a malicious {random name}.exe file.
6. Empty Recycle Bin and then quickly perform a full system scan using a trusted malware scanner. Download Removal Tool100% FREE spyware scan and
   tested removal of Sarut Ransomware*