SadComputer ransomware gives victims only 5 minutes to pay up

April 26, 2019

The SonicWall Capture Labs Threat Research Team have received reports of ransomware that appears to be in early development called SadComputer.  Although the malware only gives its victim 5 minutes to pay, it also provides a way to recover the files without paying the ransom.  We speculate that this variant is part of an early development release as the attackers seem to have provided a Bitcoin address that they do not control.  The malware does however, permanently delete files after the time expires.

Infection Cycle:

Upon running the executable file the following dialogs are displayed:



The following text is displayed on the top left of the screen:


The trojan encrypts files on the system and appends ".sad" to their filenames.  After the 5 minute timer expires, the encrypted files are permanently deleted.

The trojan adds the following files to the system:

  • %USERPROFILE%\Desktop\sadcomputer_note.txt
  • %USERPROFILE%\Documents\sadcomputer_note.txt
  • %USERPROFILE%\Music\sadcomputer_note.txt
  • %USERPROFILE%\Pictures\sadcomputer_note.txt
  • %USERPROFILE%\Pictures\Camera Roll\sadcomputer_note.txt
  • %USERPROFILE%\Pictures\Saved Pictures\sadcomputer_note.txt
  • %USERPROFILE%\Videos\sadcomputer_note.txt
  • %APPDATA%\Roaming\SadComputer\SadComputer\\recover (empty file)
  • %APPDATA%\Roaming\SadComputer\SadComputer\\time

The trojan adds the following key to the registry:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run <machine name> "<original run path>"

sadcomputer_note.txt contains the following text:

Q: What Happend to my computer?
A: Your Files Have Been Encrypted.

Q: How Do i restore the files?
A: You need to use bitcoin to restore the files.

Q: Can i use other methods?
A: Yes. You can use Paypal.

Q: How can i trust?
A: We dont cheat users. We restore the files.

Pressing "Enter Code" or "Check" in the dialog shown above produces the following dialog:

Providing any random email address for the "E-Mail Address:" field brings up the following dialog:

Using the code provided results in the files being recovered.

The ransom note says that the victim must pay in Bitcoin for file recovery but does not provide an amount to pay.  The bitcoin address (1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2) is from the donation page of Tails, a project that sets out to provide an anonymous, privacy oriented operating system:

SonicWALL Capture Labs provides protection against this threat via the following signatures:

  • GAV: Sadcomputer.RSM (Trojan)

Also, this threat is detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.