Home Malware Programs Ransomware Saramat Ransomware

Saramat Ransomware

Posted: September 12, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 7
First Seen: September 13, 2017
Last Seen: January 18, 2019
OS(es) Affected: Windows

The Saramat Ransomware (or Sarmat Ransomware) is a variant of Hidden Tear that locks your local media by encrypting it, which it uses to force the victim to pay a ransom. Users should be careful to avoid identifying the Saramat Ransomware incorrectly, which drops components that obscure its identity with inaccurate information. Although most anti-malware products should remove the Saramat Ransomware immediately after they detect it, saving backups non-locally can provide additional protection from this threat.

Your Desktop is Now an Inaccurate Ransom Note

While file-locking Trojans continue being commonplace, with threat actors re-using text messages, pictures, and other elements of old campaigns, their payloads aren't accurate or honest necessarily. Trojans with cases of mistaken identities, such as the Saramat Ransomware, may feed their victims with inaccurate data to keep them from taking appropriate steps for disinfecting their PCs or restoring their files. The Saramat Ransomware campaign already is operating under three names: the Saramat Ransomware, Sarmat, and, particularly unusually, CoNFicker Ransomware.

The Saramat Ransomware is a direct descendant of the Turkish 'Hidden Tear' project that Utku Sen designed for educational purposes, without intending the threat ever to be deployed. As a result, the Saramat Ransomware uses Hidden Tear's AES-based encryption feature to block files on the user's PC that fit into one of just over seventy formats, including Word documents, executable programs, Excel spreadsheets, MP3 audio clips and WinZip archives.

The rest of the Saramat Ransomware's symptoms exemplify the mixed branding messages of its design:

  • The Saramat Ransomware appends '.Saramat' extensions to all of the files it encrypts.
  • The Saramat Ransomware creates a short ransom note, in Notepad format, announcing itself as being the 'Sarmat Ransomware.'
  • The Saramat Ransomware resets the user's desktop image to a warning message claiming that it's the 'CoNFicker Ransomware.' Note that malware experts find zero tangible connections between the Saramat Ransomware, the original Conficker worm, and the more modern CoNFicker Ransomware from earlier in 2017. The same, incorrect branding also is a part of the threat actor's dedicated email address for the Saramat Ransomware campaign.

Keeping a Trojan with Three Faces at Zero Profits

Although the simplest explanation for the Saramat Ransomware's self-contradictory messaging is a threat actor borrowing files from pre-existing sources, it also may be a deliberate strategy to keep the victim from finding the right decryptor. Hidden Tear's variants often are vulnerable to unlocking by free software hosted by a variety of PC security organizations. However, malware experts recommend that you create spares of any blocked files, first. Using the wrong decryption software can cause even more data corruption and damage your content permanently.

The Saramat Ransomware campaign's strategies for proliferation are under investigation, although this threat is implementing ransom demands that imply targeting recreational systems, rather than businesses currently. Victims may compromise their PCs by opening corrupted email attachments or browsing websites that host script-based exploitable content, or by downloading the Saramat Ransomware through a software piracy resource. A dominant majority of current AV vendors' databases detect this threat heuristically, which allows most anti-malware programs to delete the Saramat Ransomware with no further action required from the user.

The incestuous nature of a Trojan design does no favors to users trying to identify the source of an infection with precision. For most circumstances, having security tools in place to detect, isolate, and remove the Saramat Ransomware is a lot simpler than trying to do the same task manually.

Loading...