Sarut ransomware is a malware that, invisibly penetrates the PC system and encrypts documents, photos and music that stored on PC system disks. While encrypting, it renames all encrypted documents, photos and music so that they have the .sarut file extension.
The .Sarut ransomware is a variant of crypto viruses. It affects all current versions of Windows OS like the Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP. This ransomware virus uses a hybrid encryption mode to eliminate the possibility of brute force a key that will allow to decrypt encrypted documents, photos and music. The Sarut ransomware encrypts almost of files, including common as:
.sidn, .3ds, .odc, .7z, .xar, .raf, .ztmp, .dbf, .zdc, .vdf, .xx, .mdbackup, .ntl, .vpp_pc, .3fr, .wb2, .wma, .t13, .mlx, .xxx, .wpt, .blob, .dba, .dcr, .kf, .pem, .yml, .wbk, .dwg, .0, .zip, .mdf, .wpl, .sidd, .wbm, .mddata, .iwi, .wbd, .wri, .yal, .fsh, .pkpass, .rgss3a, .sis, .wpb, .qic, .cfr, .wp, .ltx, .crt, .pdd, .gho, .vtf, .wmv, .lvl, .slm, .1st, .bc7, .sum, .snx, .hplg, .ptx, .t12, .flv, .dng, .xlsx, .gdb, .bik, .mpqge, .wdb, .rw2, .sb, .xlsm, .webdoc, .wn, .mov, .avi, .mp4, .rar, .xbdoc, .re4, .d3dbsp, .xyw, .ws, .wbc, .docm, .p12, .m4a, .icxs, .xlk, .ff, .bkf, .mrwref, .ncf, .wp4, .cr2, .forge, .vcf, .zdb, .rtf, .itm, .bc6, .lrf, .hvpl, .ppt, .m3u, .accdb, .jpeg, .sr2, .rb, .tor, .wsd, .mef, .hkdb, .docx, .mcmeta, .erf, .ybk, .x3d, .wot, .sid, .mdb, .cas, .wsh, .psk, .rwl, .xlsm, .crw, .pfx, .z3d, .zw, .dmp, .doc, .wbmp, .bkp, .fos, .svg, .pak, .wmd, .wpa, .p7b, .der, .odp, .wp7, .db0, .pdf, .fpk, .bsa, .xls, .srf, .dxg, .dazip, .zi, .arch00, .map, .jpe, .wmf, .itdb, .hkx, .lbf, .kdc, .sql, .kdb, .orf, .3dm, .apk, .png, .css, .zabw, .wps, .wm, .syncdb, .wsc, .ai, .zif, .wp5, .vpk, .2bp, .xlsx, .eps, .x3f, .x, .xml, .w3x, .csv, .epk, .wcf, .xyp, .upk, .xmind, .wotreplay, .wpe, .esm
Once a file is encrypted, its extension modified to .sarut. Next, the ransomware drops a file named ‘_readme.txt’. This file contain a guidance on how to decrypt all encrypted photos, documents and music. You can see an one of the variants of the ransom note below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-1aTCryfzhK Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: vengisto@firemail.cc Reserve e-mail address to contact us: gorentos@bitmessage.ch
Threat Summary
Name | .Sarut ransomware |
Type | Ransomware, Filecoder, Crypto virus, File locker |
Contact Emails | vengisto@firemail.cc, gorentos@bitmessage.ch |
Ransom note | _readme.txt |
Symptoms |
|
Removal | To remove .Sarut ransomware use the removal guide |
Decryption | To decrypt .Sarut ransomware use the steps |
We suggest you to remove .Sarut ransomware virus sooner, until the presence of the ransomware virus has not led to even worse consequences. You need to follow the step-by-step guide below that will allow you to completely remove .Sarut ransomware virus from your system as well as recover (decrypt) encrypted documents, photos and music, using only few free utilities.
Quick links
- How to remove .Sarut ransomware virus
- How to decrypt .sarut files
- Use STOPDecrypter to decrypt .sarut files
- How to restore .sarut files
- How to protect your PC from .Sarut ransomware?
- To sum up
How to remove .Sarut ransomware virus
In order to delete .Sarut ransomware virus from your machine, you need to stop all ransomware virus processes and delete its associated files including Windows registry entries. If any ransomware components are left on the personal computer, the ransomware can reinstall itself the next time the computer boots up. Usually viruses uses random name consist of characters and numbers that makes a manual removal procedure very difficult. We advise you to use a free ransomware virus removal tools which will allow remove .Sarut ransomware from your personal computer. Below you can found a few popular malware removers that detects various ransomware.
How to remove .Sarut ransomware with Zemana Anti-malware
We recommend you to use the Zemana Anti-malware that are completely clean your PC system of this ransomware virus. Moreover, the tool will allow you to remove potentially unwanted apps, malware, trojans and adware that your computer may be infected too.
Installing the Zemana is simple. First you will need to download Zemana Free on your Windows Desktop from the link below.
162857 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the download is finished, run it and follow the prompts. Once installed, the Zemana Free will try to update itself and when this procedure is done, press the “Scan” button to perform a system scan with this utility for the .Sarut ransomware related files, folders and registry keys.
This procedure can take some time, so please be patient. When a malicious software, adware software or PUPs are detected, the number of the security threats will change accordingly. Wait until the the scanning is done. Make sure all items have ‘checkmark’ and click “Next” button.
The Zemana Anti Malware (ZAM) will delete .Sarut ransomware virus related files, folders and registry keys and move threats to the program’s quarantine.
Use MalwareBytes to remove Sarut ransomware virus
You can remove Sarut ransomware automatically with a help of MalwareBytes. We suggest this free malicious software removal utility because it may easily remove ransomware virus, adware, malicious software and other unwanted applications with all their components such as files, folders and registry entries.
Installing the MalwareBytes Free is simple. First you will need to download MalwareBytes Anti-Malware from the following link.
324544 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the downloading process is done, close all software and windows on your machine. Open a directory in which you saved it. Double-click on the icon that’s called mb3-setup like below.
When the setup begins, you’ll see the “Setup wizard” that will help you install Malwarebytes on your computer.
Once install is done, you will see window as on the image below.
Now click the “Scan Now” button to perform a system scan with this utility for the Sarut ransomware virus. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your machine and the speed of your personal computer. While the utility is scanning, you can see number of objects and files has already scanned.
After the scan get completed, you can check all threats found on your PC. In order to remove all items, simply click “Quarantine Selected” button.
The Malwarebytes will now start to remove Sarut ransomware virus and other kinds of potential threats like trojans and worms. Once the task is complete, you may be prompted to reboot your computer.
The following video explains tutorial on how to get rid of hijacker, adware and other malware with MalwareBytes.
Get rid of .Sarut ransomware virus from system with KVRT
If MalwareBytes anti-malware or Zemana antimalware cannot remove this ransomware, then we suggests to run the KVRT. KVRT is a free removal utility for ransomware viruss, adware, PUPs and toolbars.
Download Kaspersky virus removal tool (KVRT) by clicking on the following link.
128250 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is finished, double-click on the KVRT icon. Once initialization process is finished, you will see the Kaspersky virus removal tool screen as shown on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to locate .Sarut ransomware . This process can take some time, so please be patient. When a malicious software, adware or PUPs are found, the number of the security threats will change accordingly. Wait until the the scanning is finished.
After the scan get completed, KVRT will show a screen that contains a list of malware that has been found as shown in the following example.
You may remove items (move to Quarantine) by simply click on Continue to start a cleaning procedure.
How to decrypt .sarut files
The .Sarut ransomware virus uses a hybrid encryption mode. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a way because of the big length of the key. Therefore, unfortunately, the only payment to the creators of the .Sarut ransomware virus entire amount requested – the only way to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the creators of the .Sarut ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
With some variants of Sarut ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .sarut files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.sarut).
Please check the twitter post for more info.
How to restore .sarut files
In some cases, you can restore files encrypted by .Sarut ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Run ShadowExplorer to recover .sarut files
An alternative is to recover .sarut files from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that MS Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing personal files that were damaged by .Sarut ransomware. The tutorial below will give you all the details.
ShadowExplorer can be downloaded from the following link. Save it on your Desktop.
433208 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.
Launch the ShadowExplorer utility and then choose the disk (1) and the date (2) that you wish to restore the shadow copy of file(s) encrypted by the .Sarut ransomware virus as shown in the following example.
Now navigate to the file or folder that you wish to restore. When ready right-click on it and click ‘Export’ button as shown on the image below.
Run PhotoRec to restore .sarut files
Before a file is encrypted, the .Sarut ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file recover applications like PhotoRec.
Download PhotoRec on your personal computer by clicking on the following link.
Once downloading is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as on the image below.
Select a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted files like below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, click Browse button to choose where restored documents, photos and music should be written, then click Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as displayed on the image below.
All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your PC from .Sarut ransomware?
Most antivirus software already have built-in protection system against the ransomware virus. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your PC system from .Sarut ransomware
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Visit the page linked below to download HitmanPro Alert. Save it to your Desktop so that you can access the file easily.
After the download is finished, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the utility is started, you’ll be shown a window where you can choose a level of protection, as on the image below.
Now click the Install button to activate the protection.
To sum up
After completing the step-by-step guide outlined above, your personal computer should be clean from .Sarut ransomware and other malware. Your computer will no longer encrypt your personal files. Unfortunately, if the instructions does not help you, then you have caught a new variant of ransomware virus, and then the best way – ask for help here.