!SATANA! Ransomware Uninstall

I wrote this article to help you remove !SATANA! Ransomware. This !SATANA! Ransomware removal guide works for all Windows versions.

!SATANA! ransomware is a hybrid win-locker. The authors of the nefarious program have borrowed codes from existing ransomware viruses – Petya and Mischa. These two infections belong to the same developer, a cyber criminal from Germany. There is no confirmed information on whether or not the creators of !SATANA! ransomware have collaborated with him in any way or they simply stole his codes. The latter seems more likely, as cyber thieves do not tend to share ideas or split bounties. The concept of !SATANA! ransomware, although trivial, is much different from the presentation of Petya and Mischa. The malignant program introduces itself as a FS bootkit virus. Its origin is rumored to be Bosnia and Herzegovina, though this has not been disclosed. The ultimate purpose behind !SATANA! ransomware is to collect ransom payments. The usual methods apply.

How does !SATANA! ransomware operate?

The win-locker encrypts most of the files on the targeted computer and demands a ransom to unlock them. !SATANA! ransomware deploys the AES and RSA technologies to perform the encryption. The AES cipher is used to encrypt files and generate a unique decryption key while the RSA encrypts the key and sends it to a remote server. The names of the encrypted files are changed. The virus appends a prefix to the original file names. It contains an email address, followed by an underscore. The hackers behind !SATANA! ransomware have registered the following email accounts: banetnatia@mail.com, gricakova@techemail.com, sarah_g@ausi.com, megrela777@gmail.com, matusik11@techemail.com, ryanqw31@gmail.com and rayankirr@gmail.com.

Remove !SATANA! Ransomware
The !SATANA! Ransomware

To notify the victim of its actions, !SATANA! ransomware drops a ransom note titled !satana!.txt on the desktop. The message states: “You had bad luck. There was crypting of all your files”. You will be required to pay a ransom of 0.5 bitcoins to have them decrypted. At present, this amounts to $324.42 USD. Note that the exchange rates change on a daily basis. The bitcoin is a cryptocurrency, created to process transactions online. It fluctuates like traditional monetary currencies. The hackers behind the win-locker have selected this means of payment because it protects their anonymity. Cryptocurrency platforms do not enable tracing. The decryptor !SATANA! ransomware creates works for 7 days.

Another property of !SATANA! ransomware is locking the operating system (OS). This function is advanced. It is not typical for all ransomware infections. The virus will limit your access to your PC, including the Internet access. This is done to prevent people from finding an alternative solution and taking actions. In addition, !SATANA! ransomware threatens users that tampering with the software would result in their files becoming impossible to decrypt. Do not allow these scare tactics to get to you. Paying the ransom is not a guarantee. There are many instances of cyber criminals collecting the sum and not providing the decryption key afterwards.

How is !SATANA! ransomware distributed?

!SATANA! ransomware is contacted through spam emails. Program obfuscators are often involved in spreading the win-locker. Whether or not there is an intermediary, the main element in the transferal is an attached file. The attachment contains the malicious software. Opening the file is enough to initiate the download and installation of the win-locker. You should handle your in-box items with the utmost caution. Spammers often write on behalf of existing companies and entities to make the message look convincing. To proof the reliability of an electronic letter, check the sender’s contacts. Above all, his email address. If he is an actual representative of a given organization, he would have used an official email account to contact you.

!SATANA! Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, !SATANA! Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since !SATANA! Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.