.Sinta Files Virus (SintaLocker) – How to Remove + Restore Files

.Sinta Files Virus – How to Remove SintaLocker + Restore Files


with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by SintaLocker and other threats.
Threats such as SintaLocker may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

This article has been created to help you by explaining how to remove the .Sinta files virus, called SintaLocker and show how to restore .sinta encrypted files by this ransomware without paying.

A new virus from the file encryption kind has been detected out in the wild, encrypting the files on victims computers and then adding the .sinta file extension afterwards. The virus then drops a ransom note type of file, named “README_FOR_DECRYPT.md” which aims to extort the victims into paying a hefty ransom of $100 USD in BitCoin in order to get the files decrypted back to normal once more. In the event that your computer has been infected with .sinta files virus, we recommend that you read the following article to learn how to remove this ransomware from your computer and how to try and recover your encrypted files without having to pay any ransom.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on your computer after which asks you to pay the sum of $100 as a ransom to get them to work again.
SymptomsFiles are encrypted with an added .sinta file extension and a ransom note, called README_FOR_DECRYPT.md is dropped as well.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by SintaLocker


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss SintaLocker.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.sinta Files Ransomware – How Did I Get Infected

The primary method of infection which has been detected to be associated with SintaLocker is malicious spammed e-mails whose primary purpose is to get victims to open a malicious e-mail attachment, usually disguised as a legitimate type of file. Such files may pretend to be:

  • Documents.
  • Receipts.
  • Invoices.
  • Banking statements.
  • Financial reports.

The malicious files being spread may come in different ways:

  • Via malicious macros embedded in legitimate Microsoft Office documents.
  • Via links to Dropbox and other types of online services that lead to external file sharing sites.
  • Via malicious attachment directly uploaded as an e-mail attachment in an archive.

The messages that may accompany the e-mail attachments are of convincing nature and they stress on the importance of the attachments embedded. Here is an example of such message:

Analysis of SintaLocker Ransomware

Once the SintaLocker virus has infected your computer, the malware may connect to a distribution host via an unsecured port on your computer system. From there, SintaLocker drops it’s malicious files on your computer system. They are primarily located In the commonly targeted by malware Windows Directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%

Since SintaLocker is a CryPy ransomware variant, the virus may drop files of the following file types under different, often random names:

→ .exe, .tmp, .bat, .cmd, .dll, .vbs, etc.

As soon as the payload of SintaLocker CryPy variant is dropped, the malware may start to modfy your computer by firstly obtaining administrative permssions. Only then, the .sinta files virus may attack your Windows Registry Editor and set custom registry keys in it that may allow it to run automatically on system start up. The targeted sub-keys for this purpose are the followng:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • Texttt
  • Texttt
  • Texttt

In addition to this activity, the SintaLocker ransomware may also delete your shadow volume copies by running a malicious script in the background of your computer which uses the vssadmin and bcedit commands:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

After this is complete, the SintaLocker ransomware may also drop it’s ransom note file, which may either be in the .md file format or in .txt document. Either way, the file is named README_FOR_DECRYPT and has the following content In it:

! ! OWNED BY SintaLocker ! ! !

All your files are encrypted by SintaLocker with strong chiphers.
Decrypting of your files is only possible with the decryption program, which is on our secret server.
All encrypted files are moved to __SINTA I LOVE YOU__ directory and renamed to unique random name.
To receive your decryption program send $100 USD Bitcoin to address: 1NEdFjQN74ZKszVebFum8KFJNd9oayHFT1
Contact us after you send the money: [email protected]

Just inform your identification ID and we will give you next instruction.
Your personal identification ID: {ID}

As your partner,


SintaLocker’s Encryption Procedure

Similar to CryPy ransomware from which it derives, SintaLocker may also use the same AES-256 encryption algorithm win order to render the files to be no longer openable by the victim. To do this, the virus perfroms the following consequential activities:

1)Encrypts the file using a strong AES-256 encryption algorithm.
2)Generates a unique decryption key.
3)Sends the decryption key to the SintaLocker ransomware’s command and control server.

The SintaLocker ransomware does not encrypt just any file. The virus may targed files that are often used, like the following file types:

  • Documents.
  • Audio files.
  • Videos.
  • Image files.
  • Archives.
  • Files associated with often used programs.

The virus skips encrypting files in the following imporant Windows directories:


After this has been done, the SintaLocker ransomware adds the .sinta file extension to the encrypted files, resulting in them looking like the following:

Remove SintaLocker Ransomware and Restore .sinta Encrypted Files

In order to get rid of this ransomware virus, you will need to isolate it first and then hunt for all the changes it has made on your computer plus the files created by it. You can follow the manual removal instructions below to do this manually. However, malware researchers strongly recommend to download ransomware-specific anti-malware software which will take care of SintaLocker ransomware automatically and make sure that your computer remains protected against other threats as well.

If you want to restore files that have been encrypted by SintaLocker ransowmare, it is strongly advisable to try out the alternative methods for file recovery below in step “2. Restore files encrypted by SintaLocker”. They are specifically designed to help you restore as many files as possible without paying any ransom. Even though they may not be 100% effective, we have received reports on our forums that victims have been able to restore up to 50+ files using those tools.

Note! Your computer system may be affected by SintaLocker and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as SintaLocker.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove SintaLocker follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove SintaLocker files and objects
2. Find files created by SintaLocker on your PC

Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by SintaLocker

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share