What is RansSIRIA ransomware? And how does it execute its attack?
RansSIRIA ransomware is a newly discovered file-encrypting threat designed to encrypt files and claims to donate the ransom payment to the Syrian refugees. According to security experts, this ransomware threat is a variant of the WannaPeace ransomware and seems to be targeting users from Brazil. Once it executes its attack, it will display a fake Word window that takes some time before it opens and at the same time, it also encrypts files on the infected PC and will display a program window that contains a passionate plea to pay the ransom that will supposedly be used to help the Syrian refugees.
RansSIRIA ransomware is reported to drop a malicious executable file named “RsSIRIA.exe” into the Temp folder as well as modified open-source DLL files. This ransomware is designed to encrypt files like images, video, audio, database, documents, texts, and other user-generated files using the AES encryption algorithm. After the encryption, a full lock-screen is launched which appears to be similar to WannaCry and displays a ransom note written in Portuguese – it states:
“Sorry, your files have been locked
Permita nos apresentar como Anonymous, e Anonymous apenas.
Nós somos uma idéia. Uma idéia que não pode ser contida, perseguida nem aprisionada.
Milhares de seres humanos estão nesse momento rufigiados, feridos, com fome e sofrendo…
Todos como vítimas de uma guerra que não é nem mesmo deles!!!
Mas infelizmente apenas palavras não mudarão a situação desses seres humanos…
NÃO queremos os seus arquivos ou lhe prejudicar…, queremos apenas uma pequena contribuição…
Lembre-se.., contribuindo você não vai estar apenas recuperando os seus arquivos…
…e sim ajudando a recuperar a dignidade dessas vitimas…
nvie a sua contribuição de apenas: Litecoins para carteira/endereço abaixo”.
Here’s an English translation of the ransom note:
“Sorry, your files have been locked
Please introduce us as Anonymous, and Anonymous only.
We are an idea. An idea that can not be contained, pursued or imprisoned.
Thousands of human beings are now ruled, wounded, hungry and suffering …
All as victims of a war that is not even theirs !!!
But unfortunately, only words will not change the situation of these human beings …
We DO NOT want your files or you harm them … we only want a small contribution …
Remember .. by contributing you will not only be recovering your files …
… but helping to restore the dignity of these victims …
Contribute your contribution from only: Litecoins to wallet / address below.”
After it displays its ransom note, RansSIRIA ransomware opens a variety of images that show the victims of the war in Syria as well as a popular YouTube video that shows what the war does to a child. Although no one can refute that what’s happening in Syria can only be described as horrific and that the pain and suffering that the Syrians are dealing with right now is unimaginable, note that the cyber crooks behind RansSIRIA ransomware are not really donating the ransom to the refugees and are only trying to benefit from other people’s suffering.
How does RansSIRIA ransomware proliferate?
RansSIRIA ransomware is being operated by some unknown hacker or group that unlike most ransomware developers do not use social engineering tactics in spreading their malicious payload. One of the primary methods used by the crooks behind this threat is a shortened URL that leads to the malicious executable file of RansSIRIA ransomware which according to researchers, was created initially on March 15, 2018. In addition, crooks also use email messages containing hyperlinks to the malicious file.
Refer to the instructions given below to effectively kill RansSIRIA ransomware from your system.
Step 1: Tap the Ctrl + Alt + Delete keys to open a menu and then expand the Shutdown options which is right next to the power button.
Step 2: After that, tap and hold the Shift key and then click on Restart.
Step 3: And in the Troubleshoot menu that opens, click on the Advanced options and then go to the Startup settings.
Step 4: Click on Restart and tap F4 to select Safe Mode or tap F5 to select Safe Mode with Networking.
Step 5: After your PC has successfully rebooted, tap Ctrl + Shift + Esc to open the Task Manager.
Step 6: Go to the Processes tab and look for RsSIRIA.exe and then end its process.
Step 7: Exit the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 8: Look for programs related to RansSIRIA Ransomware and then uninstall it.
Step 9: Close Control Panel and tap Win + E keys to open File Explorer.
Step 10: Navigate to the following locations and look for the malicious components created by RansSIRIA ransomware such as RsSIRIA.exe as well as other files associated with this threat and make sure to delete them all.
- %APPDATA%
- %TEMP%
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 12: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 13: Navigate to the listed paths below and look for the registry keys and sub-keys created by RansSIRIA ransomware.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
- HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
- HKEY_CURRENT_USER\Control Panel\Desktop
Step 14: Delete the registry keys and sub-keys created by RansSIRIA ransomware.
Step 15: After that, close the Registry Editor and empty the Recycle bin.
After you’ve covered the steps provided above, you need to continue the removal process of RansSIRIA ransomware using a reliable program like [product-name]. How? Follow the advanced removal steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.