Sardoninir Ransomware Removal Guide

What happens when Sardoninir Ransomware infects your operating system? If it slithers in, this infection encrypts your files, creates a RUN key in the registry, and launches a file that displays a message from its creator. The main purpose of this threat is to make its victims pay a ransom. At the time of research, it was possible to circumvent that by applying a “password” that was stored on the victim’s computer. Is this password stored on your PC as well? If it is, we can help you find it. Unfortunately, it is possible that your operating system was infected with a different version of this malicious threat, and the password cannot be retrieved or applied. If you cannot use a password, your personal files might be locked for good. Even if you delete Sardoninir Ransomware from your operating system, they will remain encrypted! It is possible that, in this situation, there is only one solution.

The distribution of Sardoninir Ransomware is still quite mysterious, and we do not know whether this threat will slither in using a corrupted spam email attachment, or if it will be downloaded by other threats. In any case, it is most likely that this stealthy infection will slither in without your notice. If it remains unnoticed, it can successfully encrypt your most personal files found in Desktop, Documents, Downloads, Pictures, and Videos folders. When the files are encrypted, the “.enc” extension is attached to them. The same extension is used by the infamous safeanonym14@sigaint.org Ransomware. According to our research team, it is identical to Sardoninir Ransomware, and you might be able to remove both of these threats using the same steps. Of course, if you are dealing with the clone, we suggest reading the report that was created after analyzing it. You can find it on our website as well.

Once Sardoninir Ransomware encrypts your files, it displays a ransom message. Before that, you might notice a few random-looking windows pop up. One of them should inform you about the re-installation of some software, and the other one should represent a strange combination of letters and numbers. If you have recorded this combo, enter it into the password box represented via the main ransom window, and, maybe, your files will be decrypted in no time. If you look at the ransom note represented by the infection, you are asked to pay a ransom of 100 USD in Bitcoins to the allocated Bitcoin Address in 24 hours. If you pay the money, you are also asked to send transaction details to sardoninir@gmail.com. Because of this, Sardoninir Ransomware is often identified as “Sardoninir@gmail.com Ransomware.”

As mentioned before, you might be able to find the password on your own computer, but what if you cannot? If the password does not exist or you cannot use it, the first thing we advise doing is checking your backups. Do that using a computer that has not been compromised by malware because you do not want to endanger backup copies. What should you do if backups do not exist? In that case, you should look into legitimate file decryptors; although it is unlikely that they will help you at all. If you exhaust all options, you might be left with only one: Paying the ransom requested by Sardoninir Ransomware. We have to make ourselves very clear: Cyber criminals can tell you anything just to get your money. Sure, the decryption password might exist, but who can say if cyber crooks will provide you with it? This is why paying the ransom is considered extremely risky.

Although Sardoninir Ransomware disables Windows Explorer, Task Manager, Command Prompt, and Registry Editor upon execution, our researchers have found that you can restart these utilities, and we show you how to do that in the guide below. The guide also shows how to terminate processes and remove components associated with the infection. Although you have to find and apply the password manually, you do not have to remove Sardoninir Ransomware that way. In fact, we recommend using anti-malware software instead, and not just because it can erase all malicious components automatically but because it can reinforce Windows protection to ensure that your operating system remains malware-free in the future.

How to delete Sardoninir Ransomware

1. Simultaneously tap keys Ctrl+Alt+Delete to open a menu with different options.
2. Select Task Manager and immediately move to the Processes tab.
3. Select the malicious process (might be called svchost) and choose End task/End process.
4. Now, move to the menu at the top and click File.
5. Choose New Task and then enter regedit.exe into the dialog box to launch Registry Editor.
6. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion.
7. Check the value data of the values named Hr, Minu, and Secd (if the values are 0, the password will not work) and then double-click the value called pass.
8. Write down the password found in the value data field and then exit the Registry Editor.
9. Launch Explorer (open the Task Manager and create a New task called explorer.exe).
10. Enter %HOMEDRIVE%\Logs\System\Windows\DefaultApplications into the bar at the top and tap Enter.
11. Launch the file called svchost.exe (should be representative of the process you have already terminated).
12. When the ransom note appears, enter the password into the allocated box. This should decrypt the files and remove the registry keys associated with the ransomware.
13. Launch Explorer again (tap Win+E) and move to %HOMEDRIVE%\Logs\System\Windows\.
14. Right-click and Delete the folder called DefaultApplications (it should hold the copy of the original .exe file).
15. Delete the original .exe file (if you cannot find it, use an anti-malware tool).
16. Use a legitimate malware scanner to fully examine your operating system for leftovers.