System Ransomware

What is System Ransomware?

System Ransomware appears to be a newly created file-encrypting infection. It can be recognized from a particular extension it appends to each encrypted file (.System) and from a ransom note it leaves on the system since it should mention specific email addresses (e.g., systempc1@keemail.me). If you believe you may have encountered this malware, it would be advisable to learn about its working manner, possible distribution channels, and other vital information, so you could know your options and learn how to defend the system from malicious programs alike in the future. Luckily, all of the listed details will be explained further in the text. Also, at the end of the report, we will add a deletion instructions showing how to get rid of System Ransomware manually, although if the task appears to be a bit too complicated, it would be safer to employ a legitimate antimalware tool.

Where does System Ransomware come from?

Researchers at Anti-spyware-101.com believe System Ransomware might be spread through Spam emails as it remains to be one of the most popular distribution methods among such threats. Consequently, it is recommendable to keep away from files sent by someone you do not know or for an unknown reason. In other words, if you see a suspicious attachment you were not expecting to receive you should not take any chances with it. Those who do not want to remove such data or have a suspicion it could be significant should at least scan it with a legitimate antimalware tool. Then if the suspected file is indeed malicious, the tool may detect and warn the user about it.

How does System Ransomware work?

The malicious program’s primary task is to encrypt data it can find on the infected computer with a strong encryption algorithm so that the user could not access it anymore. In order to be able to show a ransom note, the malware should not ruin data belonging to the operating system or possibly files belonging to other programs. Instead, System Ransomware should target data important to the victim, e.g., his photos, pictures, text files, etc. The user can notice something is wrong right after the encryption because the threat is supposed to place a second extension at the end of all locked files. For instance, a file called photo.jpg would turn into photo.jpg.System after the infection locks it.

Furthermore, soon after the user's files get encrypted, he should notice a text document called _Help_Instruction.txt on his Desktop or other directories containing locked files. It starts with “Hello! Attention! All Your data was encrypted! For specific informartion, please send us an email with Your ID number.” Then the ransom note lists a few email addresses, e.g., systempc18x@protonmail.com, hashby@yandex.com, ashbyh@yandex.com, and others. The last sentences explain the user should write to all the listed email addresses. Also, according to the note System Ransomware’s creators will “help You as soon as possible!” Keep it in mind that even though they might sound willing to help there is not knowing what they will do when they receive your money. It is possible you may not hear from them ever again just because they might not see any need to bother sending the promised decryption tools or simply may not have them.

How to erase System Ransomware?

Given there is a risk System Ransomware’s developers could trick you and leave you with no decryption tools and a lighter wallet, we advise against paying the ransom. If you think it would be safer to erase the malware too, we invite you to follow the removal instructions you can see a bit below this report. They will explain how to get rid of the malicious program manually. The other way to eliminate it is to install a legitimate antimalware tool, scan the system with it, and click the deletion button once the scanning is over.

Remove System Ransomware

1. Tap Ctrl+Alt+Delete.
2. Launch Task Manager and go to Processes.
3. Search for a process belonging to the malware.
4. Mark the suspicious process and click End Task.
5. Press Win+E.
6. Find the following paths:
   %USERPROFILE%Desktop
   %USERPROFILE%Downloads
   %TEMP%
7. Locate the infection’s installer, right-click the suspicious file and press Delete.
8. Find the following paths:
   C:\ProgramData
   %ALLUSERSPROFILE%
   %ALLUSERSPROFILE%\Application Data
9. Identify malicious executable files, right-click them and choose Delete.
10. Find the provided location: %HOMEDRIVE%\user
11. Erase the ransom note (_Help_Instruction.txt).
12. Leave File Explorer.
13. Press Win+R.
14. Insert regedit and press Enter.
15. Navigate to these locations:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
16. Identify the malware’s created value names, right-click such files and select Delete.
17. Leave Registry Editor.
18. Empty your Recycle bin.
19. Reboot the system. Download Removal Tool100% FREE spyware scan and
    tested removal of System Ransomware*