.slvpawned SecretSystem Malware (Decrypt Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

.slvpawned SecretSystem Malware (Decrypt Files)

This article should be able to help you remove the SecretSystem ransomware infection from your computer and aims to show you how to restore .slvpawned encrypted files.

A ransomware virus detected in the middle of May 2017 has been reported to use the .slvpawned file extension which it adds to the files encrypted by it. The virus aims to encode the important documents, videos, music, photos and other types of files on the computer so that they are no longer able to be opened. After the encryption process is complete, the ransomware virus leaves behind a ransom note in which it demands victims to pay a hefty ransom fee in order to get the files back – 500 U.S. dollars. In case you have become a victim of this ransomware infection, recommendations are to read this article thoroughly.

Threat Summary



Short DescriptionSecretSystem encrypts the files on the computers infected by it and then demands $500 ransom to get the files back to working state.

SymptomsThe victim may see the files encrypted with added .slvpawned file extension. Also a ransom note is added with instructions by SecretSystem ransomware.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by SecretSystem


Malware Removal Tool

User ExperienceJoin our forum to Discuss SecretSystem.
Data Recovery ToolStellar Phoenix Data Recovery Technicians License(Pro version with more features) Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Update May 2017! It has been confirmed that the SecretSystem ransomware is a new variant of the “Stupid Ransomware” family and the decrypter for these viruses has been updated, meaning you can now decrypt your files for free. To remove this virus and decrypt your files, follow the instructions on this web link.

Distribution of SecretSystem Virus

In order to be spread and to massively infect victims on a global scale, the ransomware infection aims to perform multiple different types of tactics in order to slither in a computer system unnoticed:

  • Intermediary malware that drops the payload(Droppers, Loaders, etc.)
  • Obfuscators for the malicious files to hide the activity of the virus from various antivirus programs.
  • Spamming software that spreads the virus via referral spam or e-mail.
  • E-mail addresses to spam from.
  • A pre-set list of targeted e-mail addresses to be spammed.
  • A pre-set messages that aim to trick the victim into opening an e-mail attachment or clicking on a malicious web link.

The e-mail addresses are usually containing either a malicious e-mail attachment or a web link. Such may be presented in the text of the e-mail as a legitimate documents of important nature. These documents could pretend to be invoices or other type of files that may be dangerous to the user.

Other forms of spreading this malware may also include it’s distribution via fake setup files, fake Adobe flash player or other types of software updates, or even fake executables uploaded on torrent websites.

SecretSystem Ransomware – Malicious Activity

After SecretSystem has already infected a computer, system, the virus may firstly drop it’s malicious files. One of them is identified to be named ”Ransomeware.exe”. They may be under different names and with different locations. The usual places they may reside are the typical Windows directories:

The virus may also attach the Windows Registry Editor’s registry sub-keys, such as the:

  • Run sub-keys.
  • RunOnce sub-keys.
  • Desktop sub-keys.

The location of the sub-keys is the following:

  • HKEY_CURRENT_USER\Control Panel\
  • HKEY_USERS\.DEFAULT\Control Panel\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion

In those keys, custom value strings with data in them may be dropped. The data points to the location of the malicious file that encrypts files so that it automatically runs on system startup.

In addition to this, SecretSystem ransomware also aims to delete backups and shadow volume copies on the infected computer. This is achievable by obtaining administrative permissions on the infected computer and executing the following administrative Windows commands:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

After this, the SecretSystem ransomware may execute an obfuscated script that puts the computer into a lockscreen that pretends to be Windows Update. This very carefully masks the restart of the victim’s computer, so that the encryption of the files can be initiated during system boot:

Source: id-ransomware.blogspot.bg

.slvpawned File Virus – Encryption Process

When it begins encrypting files, the SecretSystem ransomware is very careful to skip certain folders that may result in breaking your operating system, such as:

  • %Windows%
  • %AppData%
  • %Temp%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %ProgramFiles%

Besides these folders, the virus may scan in all other folders for different types of important documents, audio files, video files and many others. The way the SecretSystem detects files is by looking at their file type. It may look for the following file types:


If the file extensions match with the ones SecretSystem ransomware is configured to encrypt, it begins replacing the data of those files with data from the encryption algorithm it uses. But the good news is that only segments of data are encrypted, enough to render the files no longer openable. If there is a mistake in the coding, the files may be restored. The file extension added to the encrypted files is reported to be .slvpawned and they look like the following after an encryption takes place:

After the encryption process, naturally, the SecretSystem ransomware drops it’s ransom note with the instructions how to recover encrypted files:

All Your Files are Encrypted by SecretSystem
If you Close me you will loose all Your Files.
If you want to decrypt your files follow this simple steps:
1.) Create BitcoinWallet
2.) Buy Bitcoins worth of $500
3.) Send $500 in BitCoin to Given Address
4.) Go to http://xxxx.xxx.xxx and Enter your Personal Id
5.) You will get your Decryption Key
6.) Enter it in Given Box and Click on Decrypt
7.) Restart your Computer and Delete any encrypted file you find
Contact Me :putraid1900@gmail.com orfb.com/Anonymous.404.NF Source:id-ransomware.blogspot.bg

Remove SecretSystem Ransomware and Restore .slvpawned Files

For the removal of this ransomware virus, we strongly recommend you to focus on backing up the encrypted files beforehand.

Then it is recommended to follow the below-mentioned removal instructions for the SecretSystem ransomware virus. They are specifically designed to help you isolate this virus and delete it either manually or automatically. However, if manual removal may be difficult for you, it is urgent that you download an advanced anti-malware tool. Security experts always prefer this method as it will fully and automatically remove all files and objects and protect your system in the future as well.

For the recovery of the files, at the moment there is no official decryptor that can restore your files for free. We will make sure to track the situation and update this article with instructions how to decrypt your files as soon as a decryptor is available. In the meantime we advise you to follow the recovery instructions underneath in step “2. Restore files encrypted by SecretSystem” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share