!SATANA! Ransomware Removal Guide

!SATANA! ransomware is a FS bootkit virus, as it introduces itself. The nefarious program falls under the win-locker category. The origin of the virus has not been determined for certain. The speculation is that it was developed by hackers from Bosnia and Herzegovina. Security researchers have been able to isolate !SATANA! ransomware and analyze its codes. The results were quite intriguing. It appears that this win-locker shares common codes with two earlier encryption viruses. Researchers assume that the developers of !SATANA! ransomware used the obtained knowledge on Petya ransomware and Mischa ransomware. These viruses are intertwined themselves. The purpose of every win-locker is the same. It tries to raise proceeds for its creators by swindling PC users. !SATANA! ransomware will encrypt your files and ask for a ransom to make them accessible again. The clandestine program targets different file types. This includes, but is not limited to, the following: .doc, .docx, .html, .txt, .pdf, .ini, .ai, .xls, .xlsx, .ppt, .pptx, .asp, .aspx, .bat, .ini, .avi, .wmv, .mov, .mkv, .mpg, .mpeg, .flv, .ogg, .exif, .dng, .dmp, .wps, .xml, .ai, .wsc, .pfx, .pak, .exe, .ps1, .jpg, .jpeg, .gif, .png, .bmp, .tif, .tiff, .psd, .srf, .raw, .sln, .eps, .bdf, .dll, .zip, .rar, .bkp, .iff, .mdb, .db, .qic, .dat, .bin, .vb, .sct, .odt, .sql, .arw, .mp3, .wma, .wav, .flac, .mid, .sys, .js, .lnk, .m3u, .m4a, .csv, .crw. The win-locker requires users to pay a ransom to unlock them.

!SATANA! ransomware is spread through spam e-mails. The shady program hides behind attachments. The host file can be a text document, an image, an archive or a compressed folder. The win-locker can be transferred directly or through an exploit kit. !SATANA! ransomware masquerades with the help of program obfuscators. They conceal the malicious code of the win-locker. Spammers have become quite skilled at devising fake messages. They can misrepresent a legitimate company or entity convincingly. To begin with, they will create an e-mail account which resembles the official electronic address of the organization. In the body of the letter, they will talk about a subject you would consider relevant. It can be about a delivery, a financial transaction, a bill, a fine or another legal issue. The message can be sent on behalf of a courier firm, the national post, a bank, a government branch or the police department. To check if the sender is who he claims to be, look up his contacts. The coordinates of the firm or entity he claims to be representing should match the information from its official website. The e-mail address is the best sign. Be sure to do the checkup before opening files or following instructions from the e-mail.

!SATANA! Ransomware
Download Removal Tool for !SATANA! Ransomware

!SATANA! ransomware uses a combination of the two most common encryption algorithms, RSA and AES. The AES cipher encrypts the files and creates a decryption key. The RSA cipher encrypts the key and sends it to a remote server, controlled by the hackers. When !SATANA! ransomware has finished encrypting your data, it will notify you of its actions. The insidious program displays a message on the desktop. It explains the situation and lists the demands of the cyber criminals. Although it appears only once, the same information can be found in a ransom note. A copy of the note is placed in every folder, containing encrypted files. The file is a document, titled !satana!.txt. It is easy to recognize the affected files. !SATANA! ransomware changes the names of all encrypted items. The malevolent program uses the following formula: Gricakova@techemail.com_[original file name]. The people behind !SATANA! ransomware demand a ransom of 0.5 bitcoins. This amounts to $328.71 USD, according to the current exchange rate. After making the payment, you have to send an assigned private code to the hackers via e-mail at banetnatia@mail.com. Note that this address is different from the one, included in the custom file extension. An unusual task which sets !SATANA! ransomware apart from other win-lockers is that it changes the system’s boot settings. The virus replaces the master boot record with a malicious loader. This allows the rogue program to restart the operating system (OS) at a certain interval. Because of this process, !SATANA! ransomware warns victims not to render their hardware configurations. The cyber criminals give users a period of 7 days to pay the ransom. After this point, the decryptor cannot request a signature from the public certificate server.

!SATANA! ransomware can be deleted with a professional antivirus program. You have to launch a full system scan. The process will uninstall the win-locker and delete all corrupted entries it has made into your system’s registries. For complete removal instructions, you can consult the guide below. Once you have removed the malignant program, you can attempt to recover your data. If you have a backup, you can use a tool called Shadow Explorer. It restores files from their shadow volume copies. The program is available for free download from its official website: shadowexplorer.com/downloads.

!SATANA! Ransomware Removal Instructions

Windows XP

1. Reboot your PC and press the F8 key.
2. Go to Windows Advanced Options and select Safe Mode with Networking, press Enter.
3. Type: http://www.xp-vista.com/download-instructions in the search bar of your web browser.
4. Download SpyHunter and install it on the computer.
5. Scan the system with the antimalware tool and erase any infected files and viruses.
6. Go to the Start Menu and then click Run.
7. Type “msconfig” in the search bar and click OK.
8. In the System Configuration Utility go to the “Startup” tab and select the option “Disable All”.
9. Press OK and reboot the PC.

Windows Vista and Windows 7

1. Reboot your PC computer and press the F8 key.
2. Go to Windows Advanced Options and select Safe Mode with Networking, press Enter.
3. Type: http://www.xp-vista.com/download-instructions in the search bar of your web browser.
4. Download SpyHunter and install it on your computer.
5. Scan the system with the antimalware program and erase any infected files and viruses.

Windows 8

1. Go to the Start menu and click on the Windows key.
2. Open the web browser.
3. Type: http://www.xp-vista.com/download-instructions in the search bar of your web browser.
4. Download SpyHunter and install it on your computer.
5. Scan the system with the antimalware tool and erase any infected files and viruses.

By

Speak Your Mind

*