Sadstory Ransomware Removal Guide

If your computer has become infected with Sadstory Ransomware, then you should know that it can encrypt most of your personal files and then demand that you pay an unspecified sum of money for the decryption program. The problem is, however, that its developers might not send you the decrypter if they choose so because it is sent via email. Therefore, we advise that you remove this computer infection and not comply with the demands of the developers because they are nothing more than cyber criminals. They will delete a random file permanently every 6 hours if you hesitate to pay. Also, if you do not pay within 96 hours they will delete the decryption key, and you will not be able to buy it. As you can see, Sadstory Ransomware is one nasty computer infection. To find out more about it, please read this article.

If your computer has become infected with this ransomware, then it is likely that it has already encrypted your files. We have found that it is part of the CryPy Ransomware family, so it must be set to use the AES-256 encryption algorithm with a 256-bit key. This encryption algorithm ensures a strong encryption and decrypting your files with a third-party decryption tool is not possible because such a tool has yet to be created. Sadstory Ransomware can be set to use a different key for each encrypted file and then send it to its command and control server.

Once the encryption process is complete, this ransomware will open a CMD window warning you about changing your account password. The text inside the CMD window reads “The password entered is longer than 14 characters. Computers with Windows prior to Windows 2000 will not be able to use this account. Do you want to continue this operation (Y/N) [Y]:” However, regardless of whether you click Y or N, nothing will change the fact your files were encrypted. Take note that, while encrypting your files, it will append them with the ".sad" file extension and also change the names of the encrypted files. Furthermore, it moves all encrypted files to a folder named __SAD STORY FILES__. Once all of this is done it drops a ransom note named SADStory_README_FOR_DECRYPT.txt on the desktop.

As mentioned in the introduction, if you hesitate to pay the ransom, then Sadstory Ransomware will delete one of your files every 6 hours, and if you do not pay within 96 hours, then the server will delete your unique decryption key, and you will not be able to purchase the decrypter. In order to pay the ransom, however, you need to message the developers via one of the two provided email addresses, and we are positive that they will ask you to pay the ransom in Bitcoins, but there is no way of knowing how much they will ask you to pay. However, you should know that the developers might not send you the decrypter if they do not feel like it.

We believe the developers of this ransomware might distribute it using various scam techniques such as malicious emails and exploit kits. Exploit kits are used on infected websites, and the websites are then injected with malicious code that downloads this ransomware onto your PC secretly, provided that you interact with certain content such as Java or Flash-based content. In the event the developers use email spam, they might include the main executable in a file archive that features an executable with a double extension. The sample we have tested was named ReadMe.pdf.exe. As you can see, the ransomware was set to look like a PDF file, while it is an executable, in fact.

We advise you against paying the ransom because there is no telling whether the cyber criminals will keep their word and send you the decryption program. Furthermore, the ransom might be too large, so paying it might not be worth your files. Therefore, we recommend that you remove Sadstory Ransomware from your PC. You can get an anti-malware program such as SpyHunter or use our manual removal guide featured below.

Manual Removal Guide

1. Hold down Windows+E keys.
2. Type %LOCALAPPDATA% in the address box.
3. Press Enter.
4. Find ReadMe.pdf.exe, right-click it and click Delete.
5. Also, go to Downloads, Temp folder and desktop.
6. Delete any suspicious-looking executable files.
7. Empty the Recycle Bin.