The .5ss5c virus is a ransomware that is currently set against target end users on a global scale. There is no information available about the hacking group behind it. It is believed to be a new iteration of the famous ransomware family. This is one of the reasons why we believe that the hackers are experienced.
Once the .5ss5c virus has started it will execute its built-in sequence of dangerous commands. Depending on local conditions or the specific hacker instructions various actions will take place. The file encryption will begin after them — the encrypting component will use a built-in list of target file type extensions. In the end the victim files will be renamed with the .5ss5c extension.
|Short Description||The ransomware encrypts files on your computer machine and demands a ransom to be paid to allegedly restore them.|
|Symptoms||The ransomware will blackmail the victims to pay them a decryption fee. Sensitive user data may be encrypted by the ransomware code.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by .5ss5c Virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss .5ss5c Virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
As of January 16 there is additional information available about the .5ss5c virus. According to a separate security report the virus has been in development since at least November last year. An analysis of the virus shows that it includes several important components which are triggered by the built-in sequence — a downloader, separate infection module and a file checker. One of the first actions which are done by the virus upon infection will be confirm that all associated data is delivered. The unpacking sequence will then commence with then unpacking. The analysis shows that alongside the ransomware itself two other elements will be delivered — a Spreader (credentials bypass tool) module and a separate password theft utility.
The file scanning data will run with a loaded exceptions list in order not to remove important system data. It will also interact with a process lookup function to stop any software associated with databases. One of the hijacked samples were found to expose the list of files that will be affected by the ransomware:
7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip
An unknown .5ss5c virus has been detected and categorized as ransomware — a file-encrypting algorithm will be run on selected data and make it inaccessible. At the moment there is not much information available about the hackers or the ransomware. A very amount of sample are released in the wild giving us reasons to believe that it be still under development. There are a wide variety of techniques that are used to spread prospective virus samples. They include the following:
- Phishing Campaigns — The criminals can plan elaborate social engineering campaigns that will manipulate the victims into thinking that they have accessed a legitimate site or email message. The campaigns include the sending out of email messages and the hosting of fake download pages. They can include stolen or forged contents that looks like authentic images and text. To coerce the victims into interacting with the shown data the criminals will host the sites onto similar sounding domain names, in some cases the hackers will also include self-signed security certificates.
- Macro-Infected Documents — This is a popular strategy which relies on the preparation of documents across all popular formats: text files, spreadsheets, presentations and databases. When opened by the victims a prompt will be spawned asking them to enable the built-in macros. If this is done the virus code will be launched.
- Infected Application Installers — A very popular method relies on the creation of numerous setup bundles of popular software that are embedded inside of them. The hackers typically rely on them as they are frequently downloaded and by posting them onto various outlets such as hacker-controlled download portals and file-sharing networks the infections can be done very easy.
- Browser Hijackers — These are dangerous plugins made for web browsers which are often uploaded with fake or stolen credentials. The places where the users can expect to find them include official plugin repositories (where stolen developer credentials are used), as well as the numerous copycat download sites.
The security analysis shows that the current version of the .5ss5c virus is also being sent using the EternalBlue exploit and is set against Chinese users. This gives us reasons to believe that the criminals are probably using an automated hacking toolkit and have focused on a given territory.
A sample analysis gives detailed information about the possible consequences of an .5ss5c virus infection. There are several different variations which exhibit slightly different behavior. The more advanced version has the ability to interact with the installed web browsers by hijacking the user prompt and retrieving all stored data: history, bookmarks, account data, preferences and etc.
Advanced process control also shows that the virus is able to create multiple processes with different privileges that are designed to carry out extensive malware activity. Some of the common actions done by such threats include the following:
- Additional Virus Installation — The ransomware infection is capable of deploying other threats to the already compromised hosts. Popular options include miners, Trojans and hijackers.
- Trojan Operations — Some of the samples have been shown to include the ability to connect to a remote server and allow the hackers to have access to the machines. This is used to hijack data, take over control and cause other malware actions.
- System Changes — The virus engine can also modify key settings and configuration files. This can result in the inability to run certain settings and features of the operating system or certain user-installed applications.
- Files Removal — Some of the virus samples of this category can be programmed to delete sensitive files such as user photos or system backups.
We suspect that the ransomware engine will also be programmed to execute hacker-controlled commands — they will be relayed via the established network connection.
The ransomware engine will then be started. Like other popular threats the .5ss5c virus will encrypt target user data according to a built-in list of target file type extensions. Usually such operations will act against multimedia files, documents, archives, backups and etc. To mark the affected files the .5ss5c extension will be assigned to them. Some of the testing versions will encrypt only compressed files.
Remove .5ss5c Virus
If your computer system got infected with the .5ss5c Files ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.