Suri Ransomware

What is Suri Ransomware?

Suri Ransomware locks all files on the victim’s Desktop with AES encryption algorithm and marks them with the .SLAV extension. If you see this extension at the end of your files' names you should have a look at the rest of the article to learn more about the threat you came across. In this article, we will discuss its possible distribution channels, its effective manner, and the methods you could employ to get rid of it. Moreover, just slightly below the report, we will add instructions showing how to remove Suri Ransomware manually. Naturally, if you do not think you can deal with the malicious application on your own, you could use a legitimate antimalware tool instead. Also, users who have some other questions about the infection or need more guidance with its deletion could place comments at the end of this article.

Where does Suri Ransomware come from?

So far, not much is known about the malicious application’s distribution, but our researchers at Anti-spyware-101.com suspect Suri Ransomware could be spread via email attachments, harmful software installers, and so on. In other words, the threat’s launcher could have been any recently downloaded file. In the future, we would advise being extra careful with data downloaded from the Internet. Even a harmless-looking text document sent via email could be infected with malware. Therefore, instead of opening attachments from unknown senders or raising suspicion it would be safer to scan them with a legitimate antimalware tool first. Same goes with files downloaded from questionable web pages, although ideally, it would be even better not to visit such sites (e.g., torrent websites).

How does Suri Ransomware work?

At first, the malicious application should create a copy of its launcher in the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup directory. Besides creating the second launcher, Suri Ransomware should place a mysterious executable file called SuriProtector.exe in the same location. Our researchers say it is unknown why the malware creates this file as it does not seem to have any purpose, but there is a possibility the executable could be responsible for protecting the main launcher. In any case, once the described data is created the malicious application is supposed to lock all data on the user’s Desktop, including files located in folders available on Desktop. Its last task is to replace user’s Desktop wallpaper and open a pop-up window with instructions on how to pay a ransom. It seems the hackers expect to receive about one hundred euros paid in Bitcoins.

The asked price might not look significant if the malware manages to encrypt files of high value to you, but do not forget even paying the ransom does not guarantee you will get them back. The hackers could take your money without sending the decryption tools they may promise. Thus, if you do not want to risk wasting your money for tools you might never get, we would advise deleting the infection.

How to erase Suri Ransomware?

Even though we placed detailed instructions explaining how to remove Suri Ransomware manually, the task might still be a bit too complicated for inexperienced users. If it is the case, we believe it would be easier to obtain a legitimate antimalware tool and perform a system scan. After the tool identifies Suri Ransomware and data belonging to other potential threats, you should be able to get rid of it all by just clicking the displayed deletion button. However, if you are still determined on eliminating the malware manually, we would like to stress it is essential to complete the provided steps in the given order (restart the computer in Safe Mode first and only then erase data belonging to this infection); otherwise, the computer could crash.

Restart the system in Safe Mode with Networking

Windows 8/Windows 10

1. Tap the Power button after pressing Windows key+I.
2. Click and hold the Shift key; then pick Restart.
3. Pick Troubleshoot from the Advanced Options menu.
4. Select Startup Settings, tap Restart, then click the F5 key and restart the computer.

Windows XP/Windows Vista/Windows 7

1. Navigate to Start and select the Shutdown options.
2. Select Restart, then tap and hold the F8 key as soon as the computer begins restarting.
3. Choose from Safe Mode or Safe Mode with Networking in the Advanced Boot Options window.
4. Press Enter and log on.

Remove Suri Ransomware

1. Tap Windows key+E.
2. Search for listed paths:
   %TEMP%
   %USERPROFILE%\desktop
   %USERPROFILE%\downloads
3. Identify the infection’s installer, right-click it and select Delete.
4. Navigate to this path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
5. Look for a malicious executable file with a random title, right-click it and choose Delete.
6. Locate a file titled SuriProtector.exe on the same location (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup).
7. Right-click an executable file named SuriProtector.exe, and tap Delete.
8. Go to Desktop, right-click a picture titled back.jpeg, and select Delete.
9. Leave File Explorer.
10. Empty your Recycle bin.
11. Reboot the system. Download Removal Tool100% FREE spyware scan and
    tested removal of Suri Ransomware*

Stop these Suri Ransomware Processes: