Home / Spyware Help / Sitaram108 Ransomware Removal Guide

Sitaram108 Ransomware Removal Guide

by 0 Comments

Do you know what Sitaram108 Ransomware is?

Sitaram108 Ransomware is yet another ransomware based on the Crysis engine. Like its predecessors, it is dedicated to encrypting the files stored on your computer and demanding that you purchase the decryption key to get them back. It uses the RSA cryptosystem to encrypt your files and render them useless. You will not be able to access them, but we do not recommend that you pay the ransom as your files may not be worth the hefty sum of money that the cyber crooks might want you to pay. Therefore, we suggest that you remove it using the guide at the end of this article or with our recommended anti-malware application called SpyHunter. However, if you want to find out more about it, then we invite you to read this whole article.

Sitaram108 Ransomware is a recently discovered infection that is nearly identical to the likes of GruzinRussian@aol.com, Makdonalds@india.com Ransomware, Opencode@india.com Ransomware, and many other ransomware that comes from the same developer that is most likely based in Russia as some ransomware feature their ransom notes in English and Russian. However, there is no concrete information as the developer uses obscure email service providers based in India and elsewhere. Since we are on the topic of email services, we should overview this ransomware’s dissemination channels.

Our security experts have determined that Sitaram108 Ransomware is distributed using email spam. Email spam is the most commonly utilized way of distributing ransomware as it gets the largest number of computers infected. So the person that created this ransomware and its clones has set up a remote server from which the email spam is sent. The emails can masquerade as invoices or receipts from companies such as Amazon, eBay, DHL, and so on. They contain malicious attachments that, once opened, secretly drop this malware’s executable that can be called Payload1.exe, Payload_c.exe or some other kind of name that has the word “payload” in it.Sitaram108 Ransomware Removal GuideSitaram108 Ransomware screenshot
Scroll down for full removal instructions

Researchers say that the executable can be placed in numerous locations. Typically, it creates one executable in either %WINDIR%\Syswow64 or %WINDIR%\System32, but it may place a copy of the executable in both of them. Also, researchers have concluded that it can, although more rarely, place the malicious executable in five other locations that include %ALLUSERSPROFILE%\Start Menu\Programs\Startup, %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup and three others. On top of that, this ransomware will create a registry string in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run that should have a name similar to the name of the executable file. You can identify the string by looking at the Value data that contains the path to the executables directory. For example, %WINDIR%\Syswow64\Payload_c.exe or %WINDIR%\System32\Payload_c.exe. However, with so many variables, locating the directory where the executable is location may prove to be a change.

While Sitaram108 Ransomware encrypts the files using the RSA-2048 encryption algorithm, it will append them with the .id-B4500913.{sitaram108@india.com}.xtbl file extension or simply .xtbl to be more precise. The email in the brackets is included for a reason. It is one of the two email addresses supplied for you to contact the cyber criminals and get instructions on how to pay the ransom. The ID part is totally random, and the numbers will be different in your case. This ransomware will also replace the desktop wallpaper with an image called How to decrypt your files.jpg and drop ransom note named How to decrypt your files.txt on the desktop. The text file reads “To decrypt your data write me to sitaram108@aol.com if you have no responce in 24 hours, write to sitaram108@india.com.” However, we urge you to think about it before paying the ransom because you might not get the decryption tool.

We are of the opinion that you should not comply with the demands with criminals because you will encourage them to make more ransomware. If it has encrypted unimportant files, then we recommend that you delete Sitaram108 Ransomware using SpyHunter or the manual removal guide that we have included below. Both methods can be effective, but take note that locating this ransomware’s executable manually may prove to be a challenge.

Removal Instructions

  1. Press Windows+E keys to open File Explorer.
  2. Enter the following paths in the address box.
    • %WINDIR%\Syswow64
    • %WINDIR%\System32
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
  3. Find the executable file.
  4. Right-click it and click Delete.
  5. Empty the Recycle Bin.
  6. Press Windows+R keys.
  7. Type regedit in the dialog box and hit Enter.
  8. Go to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
  9. Find BackgroundHistoryPath0 with the Value data C:\Users\user\Decryption instructions.jpg
  10. Right-click it and click Delete.
  11. Then, go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  12. Find the randomly named registry strings with the Value data of %WINDIR%\Syswow64\name.exe and %WINDIR%\System32\name.exe and delete them.
  13. Change the desktop wallpaper.

In non-techie terms:

Sitaram108 Ransomware is a malicious application set to encrypt all of our most precious files, images, videos, and documents and offer you to buy the decryption software to get them back. The cyber criminals might ask you for a substantial sum of money which may not be forth the encrypted files. So we suggest that you remove this ransomware using one of our suggested methods.