Delete Satan Ransomware Virus And Retrieve Encrypted Files

Satan is a highly customizable ransomware virus that may appear in many different forms. It infects users computers and asks for a ransom in order to decrypt them. Satan differs from other ransomware because a modified version of the virus can be created and distributed by anybody. The original creators of Satan receive 30% of the profits while cyber criminals spread their own customized versions and try to infect as many users as possible. This method is called ransomware as a service (RaaS) and is hard to track due to many variations constantly appearing.

The virus is distributed through various means and starts encrypting your data as soon as you launch a file associated with it. The only reliable way to protect your computer against this threat is to completely remove all traces of it and secure your PC to prevent the attacks from happening in the future. Since this virus is highly customizable and hard to track down manually we recommend using the automatic removal tool listed below. We advise following the manual removal instructions only if you have experience in editing Windows system files and settings.


Recommended Method: Download Satan Virus Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is Satan ransomware virus?

Although originally named Satan, it might have any name since every cyber criminal can customize it and make a new version. It can have custom file extensions, the ransom note, ransom amount, multiplier and other settings can be customized. It is designed to make money for the original creators while spreading as many versions created by as many users as possible.

The creators describe the virus in the following words:

Satan is a free to use ransomware kit, you only need to register on the site to start making your viruses. Satan is a ransomware, a malicious software that once opened in a Windows system, encrypts all the files, and demands a ransom for the decryption tools.

Satan is very easy to deploy, you can create your ransomware in less than a minute. Satan uses TOR and Bitcoin for anonymity.

The virus executable file weighs only 170 kb and it can be spread while merged with other harmless-looking files. Malicious Microsoft Word Macro codes and CHM help files are often used to infect the victims, as well as exploit kits and various binary files. The distribution methods can range from spam emails to social networks, instant messaging, torrents and hijacked websites. The creators usually use deceiving file names like “Please see this attachment”, “Invoice”, “Urgent” and similar. It starts encrypting your files in the background as soon as you launch the infected program.

IMPORTANT: If you believe that your computer might have been infected by this ransomware, check for any signs of increased CPU, RAM or hard disk space usage. If your computer suddenly became slower and you do not know the reason for this the ransomware might be already using your PC resources to encrypt files. In such case turn off the computer immediately in order to prevent further damage and salvage the files. Resume using your PC normally only after you have successfully removed the threat from your system.

The virus uses complicated AES-256 and RSA-2048 algorithms to encrypt your files. After it finishes encrypting all files it displays a ransom note and asks for a payment to be made via BitCoin. The smallest possible amount requested is at least 0.1 BTC but it can be as much as 5 BTC or even more. The criminals promise to provide you with a private decryption key but there is no guarantee that it will be provided. Moreover, the creators might repeat the attacks in the future if they see you as a paying victim.

The virus usually changes encrypted file names to .stn and file names are changed to random character strings.

Here is the default ransom note (HELP_DECRYPT_FILES.html). It could be modified or translated and look differently:

Your personal files have been encrypted. In order to decrypt them you'll have to pay X BTC
If the payment is not made until X, the cost for the private key will increase to X BTC
How to get your files back

1. Register a bitcoin wallet
2. Purchase the amount of bitcoins needed
3. Send X BTC to the address: XXXXXXXXXXXXXXXXXXXXXXXXXX
4. Wait for the transaction to be confirmed

The transactions are checked automatically every hour. After you've paid, come back here after at least one hour.

Here is another Satan ransom note with instructions:

What happened to my files ?
All of your personal files were encrypted using AES-256 and RSA-2048

What does this mean ?
This means that the content of your files have been changed, you will not be able to use them, it is basically the 
same as losing them forever. However, you can still get them back with our help.

How can I get my files back ?
As said before, your files have been encrypted, in order to decrypt them, you'll need the private key of the key 
pair that was generated when your files were encrypted. Decrypting your files is only possible with the private 
key and the decrypter.

If you really value your data, then you should not waste time and follow the instructions in the link below:

If the links above are not available, you should follow these steps instead:

1. Download and install the Tor Browser
2. After you've installed it, run the browser and wait for it to initialize
3. Type in the address bar:
4. Follow the instructions on the page

If a victim tries to pay a lower amount than requested it will state the following:

You've paid X BTC. There are still X BTC left.

There is also a text for those who pay the ransom included in the ransomware files:

Download both the private key and the decrypter. Open the decrypter, import the private key and wait untill the 
decryption process ends.

We strongly discourage you from paying the ransom. Instead you should completely remove the virus from your system by following our manual. You should always make backups of your files on a separate location and secure your computer with a proper antivirus software (e.g. recommended above) in order to avoid further infections.

Here are some screenshots of the Satan virus. You might see different variations of this virus.

      


 Manual Removal Instructions:

NB: Make sure you are comfortable with editing important Windows system files and settings before proceeding. Removing the virus manually does not guarantee that the threat will not appear in the future.Make sure you secure your computer with a proper antivirus software as well as make backups in the future to prevent any possible infections.

Bookmark this page as you will have to restart your computer during the removal process.

Step 1:

Start by rebooting your computer in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Terminate all processes that might be associated with the virus.

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All processes currently running on your computer will be listed.

You will have to check each running process manually.

The virus can hide in any of the processes, including the ones belonging to your Windows system. This is why you have to run through the complete list.

Right-click on each of the processes in the list and choose Open File Location.

Go to virustotal.com and upload the opened file for a scan.

If the virus scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have opened.

Repeat this until you have scanned all processes.

Step 3:

Check your hosts file for any suspicious IPs.

Press and hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Delete any IPs that are listed in the end of the “hosts” file and do not have “#” in front of them. Save this file after you are finished.

Step 4:

Look for any suspicious programs in your startup config.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Open the Startup tab.

Search for any suspicious entries in the startup items list and uncheck them.

Usually such items have “Unknown” listed as a manufacturer but sometimes they can hide under legitimate program names.

Check all suspicious items’ locations by hovering your mouse over the “Command” column and navigating to the displayed location. Upload the located file to virustotal.com and remove it if it is displayed as dangerous.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 5:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

Since this ransomware is highly customizable you should look for a custom name of the virus you got infected with and search for it in the registry entries. Here is an example of such search looking for “satan” virus name.

Press keyboard buttons CTRL + F and enter:

satan

Click Find Next.

If you find any registry entries, delete them by right-clicking on it and choosing Delete.

Be very careful. You could delete important system registry entries that are critical for the Windows to work properly. Double check what you are doing before committing!

Repeat this search with other possible queries associated with the virus, including its BitCoin address, encrypted file extension (if it has been changed), malicious processes names, and the word “crypt“.

Step 6:

Clean up Windows temporary files as the ransomware may operate from this folder.

Removing all temporary files is completely safe for your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

Simply select all files and folders displayed in the temporary files directory and delete them permanently by simultaneously pressing CTRL + A and then SHIFT + DELETE.

Step 7:

Check for any recent changes in all the other important system files.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. If you know when the infection happened, search specificly for that date or later. Only if you see that a file has just been modified scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

Repeat this step with the following three directories:

%LocalAppData%
%ProgramData%
%WinDir%

Remember to be very careful with these directories as they contain many important files and your system needs them to run properly.

 Decrypting The Files:

You should move on to recovering your files only if you have completely removed the infection first. Otherwise you might cause more damage.

Check for Satan decryptor here: List of currently available decryptors. Currently we have no information that such decryptor is available but it might be added in the future so check the list before continuing.

We have a complete list of extensive file recovery methods available here. The instructions below are just a short version and not all methods are listed.

Step 1:

Start by restoring the old system settings using System Restore. The virus might have changed them so you need to revert to the old ones first.

Have in mind that the viruses tend to remove the restore points so this step might not be successful.

Hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points or they have been deleted by the ransomware you will see “No restore points have been created…” error.

Step 2:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

Step 3:

This second step might also be unsuccessful if the virus managed to delete your file shadow copies. In such case you will have to move to more advanced methods that will work in extreme cases. The methods include a professional fire recovery system that could retrieve files even after ransomware encryption or accidental format or your drive.

Alternatively you could make a backup with all encrypted files and wait for a Satan decryptor to be created. New free decryptors for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *