Cyber Security Center

Sglh ransomware removal


Sglh ransomware, file-encrypting malware from the Djvu/STOP ransomware family, is a dangerous piece of malware. It will encrypt files, add the .sglh and drop a _readme.txt ransom note that demands users pay $980 in ransom in order to get the decryptor.

 

Sglh ransomware note

Sglh ransomware is malware that encrypts files. It’s yet another version from the Djvu/STOP ransomware family, which is responsible for releasing more than two hundred ransomware versions, such as Epor, Vvoa, Agho, Vpsh, and Jdyi. The versions are more or less the same, but users can identify which version they are dealing with by the extension added to encrypted files. This one adds .sglh to encrypted files. Users will not be able to open any of the files with this extension, unless they decrypt them using the decryptor that’s works specifically for them. The cyber crooks behind this ransomware will try to sell the decryptor to victims for $980 (or $490 if contact is made within the first 72 hours). However, we never recommend paying the ransom because it does not ensure that a decryptor will actually be sent. A lot of users have been left with no decryptor and no money. Thus, users should be aware that paying is a risk.

The ransomware uses online keys to encrypt files, which means that it’s different for every victim. That key is necessary in order to work a decryptor. Because the keys are unique to each users, malware researchers are unable to develop a working decryptor. There is a free decryptor for older Djvu/STOP ransomware versions, but researchers were able to create it because older versions used offline keys. However, it’s not out of the realms of possibility that the cyber gang behind this ransomware will release the keys eventually, or that they will be caught by law enforcement. So users who are out of options should back up the encrypted files and occasionally check NoMoreRansom or Emsisoft for a decryptor.

Only users who have backup can recover files for free at this time. Though they first need to make sure to fully delete Sglh ransomware from the computer. Otherwise, when users connect to backup the backed up files may become encrypted.

Users should also be aware that there are many fake decryptors on the Internet, downloading which could infect the computer with additional malware. Thus, users should only download from safe sources, like NoMoreRansom or Emsisoft.

What does Sglh ransomware do?

When users initiate the ransomware, a fake Windows Update will appear in order to distract users from what’s happening. In the background, it will encrypt files. Usually, ransomware encrypts files like photos, documents, videos, etc. All encrypted files will have .sglh added to them, which will help users identify which ransomware they are dealing with. The ransomware will also drop the _readme.txt ransom note in all folders containing encrypted files. The note contains information on how users can recover their files, which includes paying the $980 ransom. According to the note, if users make contact within the first 72 hours, they will get a 50% discount, making the ransom $490. However, whether users actually get the discount or not, paying is risky. Users should keep in mind that they are dealing with cyber criminals who are unlikely to feel obligated to help users, even those who pay. Furthermore, users paying the ransom only encourages these cyber crooks to continue their malicious activity.

At this time, only users who have backup can recover files for free. Users who do not have backup should back up the encrypted files and wait for a free decryptor to be released.

Here is the ransom note dropped by Sglh ransomware:

ATTENTION!

Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-lYFGr2p9Fq
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoremanager@airmail.cc

Your personal ID:

How is ransomware distributed

When it comes to ransomware, it’s usually users who have bad browsing habits that get infected most often. It’s because they open unsolicited email attachments without checking them first, pirate copyrighted content via torrents, and click on advertisements when on high-risk websites. Developing better browsing habits can help avoid a lot of malware.

Spam email is one of the most common ways users pick up ransomware. Malicious actors purchase email addresses from hacker forums and then proceed to send malspam to them. The good news is that malspam is usually quite obvious, so if users know what to look for, they should be able to recognize it. The emails are usually sent from random-looking email addresses, the email itself would contain loads of grammar and spelling mistakes, and it would pressure users into opening the email attachment. However, not all malspam is as obvious, which is why we recommend that users always scan unsolicited email attachments with anti-virus or VirusTotal.

Torrenting is also a common way users pick up ransomware. Torrent sites are not regulated properly, which allows cyber crooks to easily upload their malware disguised as some popular movie, TV series, or game. It’s especially common for popular movie and TV series torrents to contain some kind of malware.

Sglh ransomware removal

Users need to use anti-malware software to remove Sglh ransomware. If they attempt to do it manually, they may end up causing even more damage. Unfortunately, removing the ransomware does nothing to decrypt files.

Sglh ransomware is detected as:

  • A Variant Of Win32/Kryptik.HHNW by ESET
  • Trojan.GenericKDZ.71456 (B) by Emsisoft
  • Trojan:Win32/EmotetCrypt!ml by Microsoft
  • Trojan.MalPack.GS by Malwarebytes
  • HEUR:Exploit.Win32.Shellcode.gen by Kaspersky