How to remove Sad virus and restore encrypted files

Sad ransomware virus

Sad is the perilous software infecting computers mostly with help of e-mail spam and Trojans. Occasionally fraudsters use exploits to take control over the system, but major program developers quickly fix them. After the infection, the virus examines the computer memory to find the files for encryption and their approximate value. Nowadays, any new ransomware knows how to cypher audio, video, image and text files in all popular extensions. Special attention is paid to businesslike files, since representatives of business are the priority target for criminals. All software in the system will be unaffected because hackers want only information. Encryption is carried out through world-known AES and RSA algorithms, and its complexity is so above the average level that it can't be bruteforced. Such complexity creates root for impressive effectuality of ransomware in recent years: PC operator, even if he has a fairly high experience in suchlike things, won't ever restore the data, and will have no choice except paying to scammers. The single manner to decrypt the information is to find the fraudster's website and withdraw the encryption keys. Also there's a way to get the keys due to faults in viruse's program code. When encrypting files, Sad switches the extension of files to .Sad. Virus adds SADStory_Readme_FOR_DECRYPT.txt with restoration information.

SADStory_Readme_FOR_DECRYPT file

The article is dedicated to virus called Sad that gets onto laptops around the world, and corrupts the files. In this page you can see full information about what is Sad, and the removal of Sad from the machine. Except that, we will teach you how to get back the cyphered files, if possible.

For any kinds of harmful software, one thing is correct: it's way simpler to avoid it than to cure it. Statistically, 90% of users understand the significance of computer knowledge just when ransomware penetrates their machines. To shield your laptop, you must keep in mind a few simple regulations:

    • Do not accept any changes to the computer, originating from suspicious software. If the laptop is polluted by Sad, it will try to remove all copies of your data, to make the recovery less possible. However removal of copies needs admin rights and confirmation from the operator. If you'll stop for a moment before accepting the pop-up, it can save your data and your money.
    • Keep an eye on the performance of your PC. It needs a lot of CPU resources to encrypt the files. When the Sad is starting to work, the CPU performance decreases, and the encryption process emerges in Process Manager. You might recognize this moment and switch off the machine before information will be fully spoiled. Naturally, the certain amount of data will be encrypted, but the other part of them will be safe.
    • Attentively examine your emails, particularly the messages which have files attached to them. The very popular model of scam messages is the story about prize gaining or package obtaining. You also should keep an eye on business correspondence, particularly if you don't know the sender and not sure what's inside. It is OK to be interested and click on the message even if it might be not for you, but remember that a single click on the viral file may cost you a lot of money, time and headache.

You should know that deleting Sad is just a, first move, which is required for the standard work of the laptop. To restore the files you should follow the instructions in the special part of our entry. To uninstall Sad, user needs to launch the computer in safe mode and run the scanning via AV-tool. We do not recommend trying to remove ransomware by hand, since it has many defensive mechanics which could counteract you. Modern malware can fully erase corrupted data, or part of it, when trying to uninstall the virus. To neutralize this, abide to the guide below.

Removal instruction

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Special Offer

Antivirus scanner

Why we recommend SpyHunter antimalware

Detects most kind of threats: malicious files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects infected elements on the computer, you will need to purchase malware removal tool for $39,99 to delete threats. SpyHunter has Free Trial for one remediation and removal, subject to a 48-hour waiting period. Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

After uninstalling the malware from the machine, you should decrypt the encrypted files. We won't try to reverse the encryption, but we'll restore them via OS functionality and the extra programs. There are the lucky chances, but generally file recovery requires a lot of time and money. If you choose the manual data recovery - read this item, which describes all the most effective ways: article about files decryption.

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.