SADStory Ransomware

The SADStory Ransomware is an estimated update to the CryPy Ransomware, a Python-based Trojan that can block your files with data-encrypting attacks. Both Trojans share the ability to prevent you from using a comprehensive range of file formats in their attempt to force you into paying ransoms. PC owners without backups should consider implementing them, along with anti-malware protection that would delete the SADStory Ransomware during its disguised install attempts.

A Story that's as Old as the Internet

Similarities between Trojans can be coincidental, but when circumstantial evidence like the choice of coding language, C&C servers, and e-mail addresses all align, the two similar pieces of threat most likely have a relationship. Recently, malware researchers saw a new campaign deploying a file-encrypting Trojan through fake Microsoft downloads. The Trojan in question, the SADStory Ransomware bears all of those traits in common with the old CryPy Ransomware, making a case for the SADStory Ransomware being a direct update.

The campaign's current infection vectors hide inside of a fake Windows Store link that redirects the victim to a compromised website. Initially, the link appears to be leading to a download a PDF document that gives the reader help with acquiring Microsoft Office for free. This file is a disguised installer for the SADStory Ransomware.

The SADStory Ransomware, like its ancestor CryPy Ransomware, scans dozens of diverse formats, including backups, pictures, compressed archives, movies, tax information databases, documents and other content. Compared to most file-encrypting Trojan families, malware analysts note that the SADStory Ransomware includes more specialized formats, making it suitable for attacking business servers potentially. It encrypts every file fitting the list's prerequisites and gives them the '.sad' extension.

Like most file-encrypting Trojans of this month, the SADStory Ransomware delivers its extortion messages through a text note that it places on your Windows desktop. The SADStory Ransomware continues using the same, basic format of threats that its predecessor also profited from, including the same warning of deleting your files after a few hours.

Waving the Sadness Away from Your Files

The SADStory Ransomware's authors have done more than merely update the CryPy Ransomware's name and contact addresses; the SADStory Ransomware also makes use of previously underutilized features in the original program. This upgrade could allow con artists to exploit RDP settings and control the infected PC remotely. Malware analysts recommend that you disconnect an infected PC from the Internet as soon as possible, to prevent the above, and other, network-based security issues deriving from this threat.

Free decryptors sometimes can recover the data that Trojans like the SADStory Ransomware encode. However, freeware decryption software isn't always available and, likewise, con artists may not honor the agreements that they force their victims into making under duress. Having a recent backup to restore your files from is the easiest workaround to the SADStory Ransomware's payload, which may not be otherwise recoverable.

Even without its file-deleting bluffs, the SADStory Ransomware is a renewal of a very real danger to any PC with important files or an active Internet connection. Anyone without a backup will wan, particularly, to invest in anti-malware protection and delete the SADStory Ransomware preemptively, even if its download looks like something other than what it is.

Technical Details