SySS Ransomware

What is SySS Ransomware?

If you are not yet sure if SySS Ransomware is the infection that encrypted your personal files and made them unreadable, you should look at the names of your files. If this is the threat that is responsible for the attack, you should find the “.id-***.[syspentest@aol.com].SySS” (*** represent unique characters) extension attached. You are free to remove this extension, but that is not something that will help you restore your files. Anti-Spyware-101.com researchers are not sure you can restore your files at all, and if you find tools that claim to be capable of restoring files affected by malware, you have to be careful. That being said, this particular threat comes from the Crysis Ransomware/Dharma Ransomware family, and free decryptors have been developed by malware experts. If you are going to use third-party tools, these are the ones you should look into first. Unfortunately, nothing can guarantee full decryption, and your files will not be restored even if you delete SySS Ransomware quickly.

How does SySS Ransomware work?

Just like ROGER Ransomware, Devil Ransomware, Dever Ransomware, or any other clone, the malicious SySS Ransomware encrypts personal files. It has no intention of corrupting system files because no one could be forced to do anything for system files that can be reinstalled and replaced in no time. Instead, the threat goes after personal files, which means that your documents, photos, presentations, movies, music files, archives, and other types of files can be corrupted. Next to these files, you should find a new file named “FILES ENCRYPTED.txt.” This file was created by SySS Ransomware, and so we recommend deleting it (the removal guide below includes this step). The message represented via the file informs that if the victim of the infection emails syspentest@aol.com or syspentesting@aol.com, they might be able to recover their files. A much more extensive message is represented using a file named “Info.hta.” This file is added to the Startup, and that is how cybercriminals ensure that the window entitled “syspentest@aol.com” is launched even if the victim restarts the computer.

The message introduced by SySS Ransomware via the launched window informs that victims can pay a ransom in Bitcoins to retrieve a decryption tool. We do not know how big the ransom is, but that is how the attackers can rope you into emailing them. If you do that, you could end up facing bigger problems, and so we do not advise doing that. At least, create an email account that would be limited to contacting cybercriminals. Afterward, you could just remove it to stop the attackers from potentially targeting you with new scams. And what would happen if you paid the ransom? Most likely, nothing would happen, except that you would lose money for nothing. Is there a chance that cybercriminals would give you the decryptor? That is highly unlikely. Our team has analyzed plenty of infections just like SySS Ransomware, and we know that cybercriminals do not keep their promises. Unfortunately, no one can force them to restore your files, and so preventing ransomware from attacking in the first place is still the best defense.

How to delete SySS Ransomware

Have you faced infections and have been able to remove them successfully in the past? If you have not, removing SySS Ransomware yourself can prove to be a serious challenge. Most components have random names, and the most important file – the launcher – also could be dropped anywhere on our computer. If you think you can delete SySS Ransomware, use the instructions below, and do not hesitate to leave your questions in the comments section. If you want a fail-proof way to get rid of this infection, install a legitimate anti-malware program, and it will perform removal automatically. It is even more important that it will keep your Windows operating system protected against other threats. Afterward, if you have backups, you will be able to replace the corrupted files. Remember to always backup ALL personal files. We recommend using external/online backups because some threats can destroy/wipe internal backups.

Removal Guide

1. Delete recently downloaded files that you believe could be associated with the infection.
2. Delete all copies of the ransom note file named FILES ENCRYPTED.txt.
3. Launch Explorer (tap Win+E keys) and enter these pathsinto the bar at the top:
   • %APPDATA%
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %WINDIR%\System32\
4. If you can find Info.hta and {unique name}.exe files linked to the infection, Delete them.
5. Launch Run (tap Win+R keys) and enter regedit to access the Registry Editor menu.
6. Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
7. Delete values associated with Info.hta and {unique name}.exe files.
8. Exit Registry Editor and Windows Explorer and then Empty Recycle Bin.
9. Perform a full system scan to check for leftovers using a legitimate malware scanner. Download Removal Tool100% FREE spyware scan and
   tested removal of SySS Ransomware*