When you boot your PC, it opens a ransom note telling that your files are encrypted by the “Saturn ransomware” instead of usual Desktop background? It means your PC has become a victim of the Saturn ransomware which falls under the category of ransomware viruses. If you get it on your PC, this virus can encrypt all documents, photos and music stored on the PC drives.
“Saturn ransomware” – ransom note
Once installed, the Saturn ransomware virus will scan the personal computer for some file types and encrypt them. When encrypting a file it will add the .saturn extension to every encrypted file name to identify that the file has been encrypted. For example, a file named sample.doc would be encrypted and renamed to sample.doc.saturn.
The ransom demanding message offers victim to contact Saturn’s authors in order to decrypt all files. These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your photos, documents and music. Especially since you have a chance to recover your files for free using some tools such as ShadowExplorer and PhotoRec.
Therefore it is very important to follow the few simple steps below sooner. The guide will help you to get rid of Saturn ransomware. What is more, the few simple steps below will help you recover .saturn files for free.
Table of contents
- What is Saturn ransomware
- How to decrypt .saturn files (Saturn Decryptor)
- How to remove Saturn ransomware virus
- Restore files encrypted by Saturn ransomware
- How to prevent your PC from becoming infected by Saturn ransomware virus?
- How does your system get infected with Saturn ransomware virus
- To sum up
What is Saturn ransomware
The Saturn ransomware is a variant of crypto viruses (malware that encrypt personal files and demand a ransom). It affects all current versions of MS Windows OS such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This ransomware uses strong encryption method to eliminate the possibility of brute force a key which will allow to decrypt encrypted photos, documents and music.
When the Saturn ransomware infects a PC system, it uses system directories to store own files. To run automatically whenever you turn on your PC, Saturn ransomware creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the Saturn ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. The virus uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.pak, .doc, .wdb, .cfr, .hvpl, .map, .mddata, .ntl, .accdb, .dmp, .wav, .xlsb, .wp4, .das, .cdr, .upk, .xdb, .wmv, .psd, .sid, .rofl, .ltx, .xlsx, .ibank, .bc7, .apk, .zip, .big, .pptm, .rw2, .kdc, .webp, .raw, .cas, .ai, .dwg, .gho, .x3f, .wmv, .orf, .y, .lrf, .mov, .eps, .m2, .dxg, .odb, .wbm, .slm, .wma, .z3d, .wcf, .zi, .wotreplay, .der, .m3u, .xy3, .x, .bsa, .xlsm, .itm, .pptx, .wpw, .odc, .rgss3a, .css, .2bp, .xbplate, .mdb, .wsd, .pef, .sav, .crt, .m4a, .dbf, .forge, .kdb, .kf, .p7c, .rwl, .xdl, .wn, .wp6, .tor, .vfs0, .sum, .dng, .mrwref, .bkp, .xml, .xlgc, .syncdb, .w3x, .pem, .wbc, .wma, .zdc, .sql, .zabw, .menu, .esm, .wmo, .hplg, .xwp, .ods, .odm, .epk, .icxs, .3fr, .xls, .crw, .png, .wri, .1, .xxx, .zip, .cr2, .docx, .nrw, .wpt, .ysp, .ybk, .3ds, .bik, .sb, .mef, .dazip, .yml, .py, .xmmap, .t12, .wps, .bay, .wmf, .rtf, .ztmp, .xpm, .zdb, .xlsx, .snx, .wsh, .wb2, .js, .mcmeta, .xyw, .indd, .x3f, .wpb, .x3d, .lvl, .hkdb, .vpk, .xld, .1st, .db0, .psk, .pdf, .wp, .dba, .wps, .iwi, .z, .mpqge, .xf, .itl, .fos, .wm, .pdd, .xls, .wbd, .arch00, .csv, .xx, .wp5, .rar, .wpd, .xlk, .ff, .wbz, .desc, .svg, .xmind, .sr2, .wgz, .hkx, .wmd, wallet, .qdf, .txt, .wpe, .zw, .dcr, .pst, .itdb, .vtf, .srf, .cer, .xlsm, .qic, .jpe, .lbf, .raf, .asset, .d3dbsp, .fpk
Once a file is encrypted, its extension changed to .saturn. Next, the ransomware virus creates a file named “#DECRYPT_MY_FILES#.html” and “#DECRYPT_MY_FILES#.txt”. This file contain a guidance on how to decrypt all encrypted files. You can see an one of the variants of the ransom note below:
S A T U R N
All of your files have been encrypted!
To Decrypt your files follow these steps:#———————————————#
1. Download and install the “Tor Browser” from https://www.torproject.org2. Run it.
3. In the Tor Browser, open website:
http://su34pwhpcafeiztt.onion4. Follow the instructions on the page
#———————————————#
The Saturn ransomware virus actively uses scare tactics by showing a ransomnote on the desktop. It is trying to force the user of the infected PC, do not hesitate to pay a ransom, in an attempt to restore their documents, photos and music.
How to decrypt .saturn files (Saturn Decryptor)
Currently there is no available way to decrypt .saturn files, but you have a chance to restore encrypted personal files for free. The Saturn ransomware uses a strong encryption algorithm with long key. What does it mean to decrypt .saturn files is impossible without the private key (Saturn Decryptor). Use a “brute forcing” is also not a way because of the big length of the key. Therefore, unfortunately, the only payment to the authors of the Saturn ransomware entire amount requested – the only method to try to get the decryption key and decrypt all your files.
There is absolutely no guarantee that after pay a ransom to the developers of the Saturn ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
How to remove Saturn ransomware virus
In order to remove Saturn ransomware from your PC, you need to stop all virus processes and delete its associated files including Windows registry entries. If any virus components are left on the computer, the ransomware virus can reinstall itself the next time the computer boots up. Usually ransomware uses random name consist of characters and numbers that makes a manual removal process very difficult. We suggest you to use a free ransomware removal utilities that will help delete Saturn virus from your PC. Below you can found a few popular malware removers that detects various ransomware.
Run Zemana Anti-malware to remove Saturn ransomware
You can get rid of Saturn ransomware automatically with a help of Zemana Anti-malware. We advise this malware removal utility because it may easily get rid of ransomware viruss, potentially unwanted software, ‘ad supported’ software and toolbars with all their components such as folders, files and registry entries.
- Visit the page linked below to download Zemana Free. Save it to your Desktop so that you can access the file easily.
Zemana AntiMalware
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your web-browser will open the “Save as” prompt. Please save it onto your Windows desktop.
- After the download is complete, please close all software and open windows on your system. Next, launch a file called Zemana.AntiMalware.Setup.
- This will start the “Setup wizard” of Zemana Anti Malware onto your PC. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Free will start and show the main window.
- Further, press the “Scan” button for scanning your computer for the Saturn ransomware and other kinds of potential threats like malicious software and potentially unwanted applications. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your PC system and the speed of your computer. While the Zemana Free program is scanning, you may see how many objects it has identified as threat.
- After Zemana completes the scan, you can check all threats detected on your PC.
- Review the scan results and then click the “Next” button. The tool will delete Saturn ransomware and other kinds of potential threats like malicious software and potentially unwanted apps and add threats to the Quarantine. After that process is complete, you may be prompted to reboot the PC.
- Close the Zemana Anti Malware (ZAM) and continue with the next step.
Use Malwarebytes to delete Saturn ransomware
We advise using the Malwarebytes Free which are completely clean your personal computer of the Saturn ransomware. The free utility is an advanced malware removal program developed by (c) Malwarebytes lab. This program uses the world’s most popular anti-malware technology. It’s able to help you get rid of ransomware, potentially unwanted apps, malware, adware, toolbars, ransomware and other security threats from your computer for free.
MalwareBytes Free can be downloaded from the following link. Save it on your Windows desktop.
326385 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When the download is complete, close all apps and windows on your personal computer. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup as on the image below.
When the install begins, you’ll see the “Setup wizard” which will help you install Malwarebytes on your PC.
Once installation is done, you will see window as displayed in the figure below.
Now press the “Scan Now” button for checking your PC for the Saturn ransomware related files, folders and registry keys. A system scan can take anywhere from 5 to 30 minutes, depending on your PC system.
After the checking is complete, the results are displayed in the scan report. You may remove threats (move to Quarantine) by simply click “Quarantine Selected” button.
The Malwarebytes will now remove Saturn ransomware and other security threats and move items to the program’s quarantine. After that process is done, you may be prompted to reboot your machine.
The following video explains guide on how to remove hijacker infection, adware and other malware with MalwareBytes.
Get rid of Saturn ransomware with KVRT
KVRT is a free portable program that scans your PC for ‘ad supported’ software, potentially unwanted apps and viruses such as the Saturn ransomware and allows delete them easily. Moreover, it’ll also help you delete any malicious web-browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop by clicking on the following link.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is done, you will see the Kaspersky virus removal tool screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to search for Saturn ransomware and other known infections. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your machine and the speed of your machine. While the KVRT program is scanning, you can see number of objects it has identified as threat.
Once the system scan is complete, Kaspersky virus removal tool will create a list of unwanted and adware as on the image below.
Make sure all items have ‘checkmark’ and press on Continue to begin a cleaning procedure.
Restoring files encrypted by Saturn ransomware
In some cases, you can restore files encrypted by Saturn ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Use shadow copies to recover .saturn files
In some cases, you have a chance to restore your personal files that were encrypted by the Saturn ransomware. This is possible due to the use of the tool named ShadowExplorer. It is a free program which made to obtain ‘shadow copies’ of files.
Download ShadowExplorer on your Windows Desktop by clicking on the following link.
438669 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Double click ShadowExplorerPortable to launch it. You will see the a window like below.
In top left corner, select a Drive where encrypted files are stored and a latest restore point as displayed in the figure below (1 – drive, 2 – restore point).
On right panel look for a file that you want to recover, right click to it and select Export like below.
Recover .saturn files with PhotoRec
Before a file is encrypted, the Saturn ransomware can make a copy of this file, encrypt it, and then delete the original file. This can allow you to recover your photos, documents and music using file recover applications like PhotoRec.
Download PhotoRec on your machine from the link below.
When the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It will display a screen as shown below.
Choose a drive to recover as shown on the image below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music like below.
Click File Formats button and choose file types to recover. You can to enable or disable the restore of certain file types. When this is complete, press OK button.
Next, press Browse button to select where restored personal files should be written, then press Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents as displayed on the screen below.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent your PC from becoming infected by Saturn ransomware virus?
Most antivirus applications already have built-in protection system against the ransomware. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, run the CryptoPrevent.
Run CryptoPrevent to protect your machine from Saturn ransomware
Download CryptoPrevent by clicking on the following link.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the installation is done, you’ll be shown a window where you can select a level of protection, as displayed below.
Now click the Apply button to activate the protection.
How does your system get infected with Saturn ransomware virus
The Saturn ransomware virus is distributed through the use of malware or spam emails. Below is an email that is infected with a ransomware virus like Saturn ransomware virus.
The Saturn ransomware can be distributed through the use of spam emails
Once this attachment has been opened, this ransomware will be launched automatically as you do not even notice that. The Saturn virus will start the encryption process. When this process is complete, it will open the usual ransom note like above on #DECRYPT_MY_FILES#.html.
To sum up
Now your computer should be free of the Saturn ransomware. Remove Kaspersky virus removal tool and MalwareBytes AntiMalware (MBAM). We recommend that you keep Zemana Anti Malware (ZAM) (to periodically scan your machine for new malicious software). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to remove Saturn ransomware from your personal computer, then ask for help in our Spyware/Malware removal forum.
