Save Ransomware

The Save Ransomware is a file-locking Trojan from the Dharma Ransomware family. These threats are known for blocking media-related content with secure encryption, creating ransom notes that sell their unlocking help, and removing local backup information. Users can save backups to other, more secure devices for their recovery needs, and always should delete the Save Ransomware with a professional anti-malware program.

A Savior of Criminal Finances

Out of the many file-locking Trojans of 2019, Ransomware-as-a-Service remains a quality in common with most, if not all samples. As freeware equivalents like Hidden Tear' CROWN Ransomware become scarcer, criminals turn to for-hire models like RaaS and the Dharma Ransomware family. The Save Ransomware is the latest evidence of that well-trod business strategy's ongoing fiscal viability – at least, for the family's maintainers.

Locking files with encryption is the signature characteristic of the Save Ransomware's family, which includes varying members from different renters, such as the recent Crash Ransomware and the Dqb Ransomware, or the older .frendi Ransomware and the 'newsantaclaus@aol.com' Ransomware. The attack uses RSA-secured AES for stopping files from opening by converting them into encrypted data, and the Save Ransomware identifies them with additional 'save' extensions visually. It also inserts an e-mail address, which malware experts believe is the usual promotion of a ransom-negotiating account.

The payload also accounts for any local backups by using shell commands for deleting the Shadow Volume Copies. Such an attack places Windows Restore Points out of bounds for restoring any files. Consequently, it pushes victims into considering the threat actor's ransom-based service, with terms that he may or may not follow.

Saving What's Yours from Trojan Interference

All the early samples of the Save Ransomware are in various security databases and threat-analyzing environments, and malware experts can't confirm infections against the public. However, most versions of the Dharma Ransomware are fully-functional and require little more than updates to addresses and text strings, for becoming fit for another campaign. The latest encryption routine for the family, also, is sufficiently secure that there is no free decryptor that can reverse the media-related effects of an attack.

Along with having a well-maintained backup, malware experts can advise users taking multiple steps for keeping their infection susceptibility as low as possible. Server administrators should disable RDP or secure it with unique credentials, use strong passwords, and update software that could harbor any download or code execution oriented exploits. Regular users can scan e-mail links and attachments for any dangers and practice safe browsing behavior, such as disabling JavaScript.

Most, if not all, anti-malware products by major companies are identifying and deleting the Save Ransomware correctly, and are ideal as disinfection solutions.

Despite its name, the Save Ransomware takes, rather than saving anything from the victimized PC's owner. Whether you lose data or money, the price is one you shouldn't pay, since it's avoidable so easily.