Saturn is a high-profile ransom attack. It features a malicious encryption whereby the users find their data locked for good. Saturn ransomware comes up with its message claiming $300 for RSA key. This key is allegedly able to unlock the data concerned. Locking and unlocking involve some sophisticated crypto-transformations.
First records of Saturn ransomware attack date back to the third week of February 2018. Researchers reveal the trojan is likely to be engineered from BTCWare ransomware.
Saturn ransom note
The infection vectors may include multiple options. Invasion via macro embedded in MS Word document seems to prevail. The Word attachment comes from the spam distributed by the crooks. The message received may provide personal details of the victims; the phishing could be a targeted attack.
To avoid the invasion with a phishing email, do not open any letter without proper verification; opening itself does not typically drop the Saturn ransomware. Even if you happen to proceed with reading a phishing email, do not download the attachment. Still, even a download does not necessarily discharge the trojan; macro is to be enabled. Needless to say, you need to abstain from running the macro (a compromised document issues a prompt asking whether the macro is to be enabled).
Upon its landing on a device, the Saturn ransomware ensures the system is not operating in a virtual environment. Otherwise, the infection terminates its processes and deletes its files.
If the invader survives through the above, it makes its best to disable data recovery. Volume Shadow Copies and other enhanced data recovery options are switched off.
The encryption stage follows. Initially, it discards certain file types and data locations. This aims at enabling the system to keep on running so that the ransom note could be displayed and possibly played.
Files encrypted by .saturn
The encryption, apart from encoding the data for good, marks respective filenames adding extra .saturn at the end.
The notification harnesses two basic files; we can name them Decrypt_my_files and Key.
The Decrypt_my_files contains general information on what is going on. It is available in four formats: HTML, txt, vbs, and bmp. The first two contain a message for reading in basic text editors; the third plays the same message as an audio; the fourth is an image to be set as a desktop background – predictably enough, conveying the same message as the first three types.
The Key is a key[id].the key file that basically transfers the victim to the Saturn ransomware online payment service. This service is available with TOR and asks for USD 300, payable in BTC. This allegedly decrypts the data encrypted by Saturn extortion campaign. There is no feedback so far as to whether this method really works, yet any payments to the crooks do contribute to the development of cybercrime.
Automated cleanup to remove Saturn virus
1. Click the button to download the stub installer and go through several setup dialogs. Once the tool is up and running, click Start Computer Scan
2. Wait until the cleaner checks the PC for Saturn ransomware malicious code. As soon as the scan is completed, the report will list all malware objects spotted in the system. Make sure the entries for detected infections are checked, and select the Fix Threats feature. This will result in malware removal and system remediation, so you should now be good to go.
Restore the encrypted files
Saturn encryption is a sophisticated data modification. There is no simple and single solution to cover all the cases. Transferring the ransom as demanded by the crooks is not the way either.Kindly apply the methods outlined below as they have been carefully developed to provide a recovery help for the most severe cases of encrypting assaults.
Data recovery with automatic software
Good news is that the virus actually deals with copies of the files. The originals have been deleted. The removed data still can be restored by virtue of such tools as Data Recovery Pro.
Shadow Volume Copies
As Windows creates backups at given periods of time, a victim is advised to address relevant restore points. Unfortunately, the method cannot apply unless the System Restore had been enabled prior to the invasion. Please also note the recovery returns files as saved before the time associated with the restore point addressed.
- Previous Versions dialog to target individual files
One can open Properties for any file. The menu has a tab called Previous Versions. It indicates versions of a file that have been backed up.
To make use of the feature, right-click an affected file and choose Properties in the drop-down list. Proceed with clicking the above-mentioned tab. You can opt between the Copy or Restore procedures, the former enabling to copy the item into the location specified by the user.
Backups and removing remaining traces of ransomware
Prevention is the best cure. If you stick to making regular reserve copies of your data and store those outside your operating system, the impacts by the ransomware are very limited. However, prior to copying the data from backups into the system hit by Saturn ransomware, make sure the removal of this virus has completed.
Your manual removal attempts may kill the ransomware in general. In most of the cases, some remnants manage to survive and are still capable of causing a significant damage. Please apply a reliable anti-malware scanner to detect and remove, if applicable, any remaining infections.