RansSIRIA Virus Removal – Restore Encrypted Files

RansSIRIA Virus Removal – Restore Encrypted Files

This article will aid you to remove RansSIRIA virus in full. Follow the ransomware removal instructions provided at the end of the article.

The RansSIRIA virus is a newly released threat that is made by an unknown criminal collective and uses substantial social engineering tricks in order to coerce the victims into interacting with it.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files on your computer system and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with a strong encryption algorithm.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by RansSIRIA


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss RansSIRIA.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

RansSIRIA Virus – Distribution Ways

The RansSIRIA virus is being operated by an unknown hacker or criminal collective and unlike many other threats uses non-standard social engineering tactics.

One of the primary ways that it is distributed is through a shortened URL that leads to the malware executable file. According to the security reports it was initially created on March 15, it is likely that this is the start of the campaign. This URL is probably being sent via different mechanisms.

The criminals behind it use email messages that contain hyperlinks leading to the RansSIRIA virus. The criminals can customize them to include text and graphics taken from legitimate sites in order to fool the victims into thinking that the messages are sent by them. The other way is to directly attach the files. This method can be combined with payload delivery such as the following:

  • Documents — The hackers embed the malware code into files of different types: rich text documents, presentations and spreadsheets. Once they are opened a notification prompt will be spawned that asks the users to enable the built-in scripts. If this is done the virus will be loaded from a remote server.
  • Bundle Installers — The RansSIRIA virus can be delivered by downloading and installing modified application installers. They are made by taking the relevant files from the official vendors and modifying them to include the dangerous code. The hackers usually choose popular applications such as system utilities, creativity suites or computer games.

Another strategy is to use browser hijackers. They represent dangerous web browser plugins that are compatible with the most popular applications (Mozilla Firefox, Google Chrome, Safari, Opera, Internet Explorer and Microsoft Edge). They are programmed to redirect the victims to a hacker-controlled page. This is done by changing the default settings: home page, new tabs page and search engine. The next step is the deployment of the virus.

RansSIRIA Virus – In-Depth Analysis

As soon as the RansSIRIA virus is launched onto the target computers it starts its malware engine immediately. Depending on the exact configuration this can begin with a data harvesting engine. It can be used to search for sensitive data that is classified into two main groups:

  • Anonymous Data — This data is used by the hackers to judge how effective their campaign is. It is composed of hardware information and certain operating system values.
  • Personal Data — The module can be configured into extracting data that can directly expose the users identity by looking for specific strings. Examples are the user’s name, address, phone number, interests, location, passwords and account credentials.

If a stealth protection component is included it can be programmed to use the harvested information as input surveillance data. It scans for installed applications that may interfere with the correct execution. This includes anti-virus software, debugging environments and virtual machine hosts.

A next step would be to institute various system changes. This can cause Windows Registry modifications of existing or the creation of ones. If such are applied then the victims may be unable to run certain applications or Windows services. Changes to the registry can also impact overall performance.

Changes can also be made to the boot options thereby disabling the startup recovery menu. The RansSIRIA virus can be programmed into automatically starting each time the computer boots. To make recovery harder the malware engine can delete identified shadow volume copies of sensitive data. This means that in this case the victims will need to use a quality recovery solution. Refer to our instructions for further information.

Advanced copies of the RansSIRIA virus can also create a network connection with a hacker-controlled server. It can be used to delivery additional threats to the infected computers or spy on the victims. The malware operators can also hijack user data if desired.

RansSIRIA Virus – Encryption Process

Once all necessary components have executed correctly the encryption processs is started. It uses a strong cipher to encrypt target user data. Example content can include any of the following:

  • Archives
  • Documents
  • Music
  • Videos
  • Photos
  • Databases
  • Backups

An full screen lockscreen is launched that appears similar to WannaCry and displays a message written in Portuguese:

Sorry, your files have been locked

Permita nos apresentar como Anonymous, e Anonymous apenas.
Nós somos uma idéia. Uma idéia que não pode ser contida, perseguida nem aprisionada.
Milhares de seres humanos estão nesse momento rufigiados, feridos, com fome e sofrendo…
Todos como vítimas de uma guerra que não é nem mesmo deles!!!
Mas infelizmente apenas palavras não mudarão a situação desses seres humanos…
NÃO queremos os seus arquivos ou lhe prejudicar…, queremos apenas uma pequena contribuição…
Lembre-se.., contribuindo você não vai estar apenas recuperando os seus arquivos…
…e sim ajudando a recuperar a dignidade dessas vitimas…

nvie a sua contribuição de apenas: Litecoins para carteira/endereço abaixo.

An English language translation reads the following:

Sorry, your files have been locked

Please introduce us as Anonymous, and Anonymous only.
We are an idea. An idea that can not be contained, pursued or imprisoned.
Thousands of human beings are now ruled, wounded, hungry and suffering …
All as victims of a war that is not even theirs !!!
But unfortunately only words will not change the situation of these human beings …
We DO NOT want your files or you harm them … we only want a small contribution …
Remember .. by contributing you will not only be recovering your files …
… but helping to restore the dignity of these victims …

Contribute your contribution from only: Litecoins to wallet / address below.

As an additional social engineering tactic the RansSIRIA virus opens up a variety of photographs showing war victims. The hacker operators are also using a popular Youtube video that can make a large impact on the users. The ransomware link also leads to a news report about Syrian refugees.

Remove RansSIRIA Ransomware and Restore Affected Files

If your computer system got infected with the RansSIRIA ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share