Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Apr 2018

How to remove RansSIRIA ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Julie Splinters · Anti-malware specialist

RansSIRIA ransomware is a crypto-virus that stems from WannaPeace ransomware family

RansSIRIA ransomware virus

RansSIRIA is one of the latest cyber infections that attacked much attention worldwide, but not because it features an exclusive behavior. Its developers are scolded for being unscrupulous when trying to get rich on behalf of Syrian refugees.[1] The ransomware spreads via spam and locks files by appending a file extension that the system cannot read (.SIRIA, .crypted, .locked, .donate, and similar). After that, it generates a .txt file, which asks the PC's owner to donate for refugees in the form of redemption. The sum is not indicated in on the ransom note, though its clear that the payment is accepted in Litecoins[2] (nearly 80).

Name RansSIRIA
Classification Ransomware
Danger level High. Encrypts personal files, performs unauthorized system's changes
File extension Unknown
The main target Brazilian PC users
Payment accepted Nearly 80 Litecoins
Removal Manual ransomware removal is practically impossible. To get rid of it, download FortectIntego and run a full system scan

Although not many cases of ransomware are exploiting dramatic events to gain financial profit, there's a few, including Bostom Marathon assault and the Hurricane Matthew Marathon. Crooks employ social engineering technique, known as Social Exchange to make people fall for the trick. They arouse the feeling of being guilty on what is going on in Syria, making the victim in pursuit of psychological relief. Thus, it's getting easier to swindle people's money.

RansSIRIA ransomware payload can be found disguised in spam email messages in a form of .exe, .doc, .pdf, or .png formats. Alternatively, it can also be disseminated via rogue software installers, phishing sites or unprotected Remote Desktop services.

Once the payload is executed, RansSIRIA virus locks files using AES-256 cipher and renders them useless by opening an unreadable extension. While it hasn't yet been specified, experts speculate that the most probable file extension used is .SIRIA. Following the encryption, the victim can find a .txt file on the desktop saying:

Sorry, your files have been locked
Please introduce us as Anonymous, and Anonymous only.
We are an idea. An idea that can not be contained, pursued or imprisoned.
Thousands of human beings are now ruled, wounded, hungry and suffering …
All as victims of a war that is not even theirs !!!
But unfortunately, only words will not change the situation of these human beings …
We DO NOT want your files, or you harm them … we only want a small contribution …
Remember .. by contributing, you will not only be recovering your files …
… but helping to restore the dignity of these victims …
Contribute your contribution from only: Litecoins to wallet/address below.

Do not fall for believing that the WannaPeace RansSIRIA is going to donate the ransom collection to Syrian refugees. Not the smallest amount of money will be donated for the charitable purpose. Therefore, we would strongly recommend you to ignore the content that the virus displays and remove RansSIRIA using FortectIntego, SpyHunterCombo Cleaner, MalwarebytesMalwarebytes or another powerful anti-virus.

The ransom note of the malware is initially written in Portuguese language and oriented to Brazilian PC users. To involve victims in the affair, crooks exploit photos depicting Syrian children suffering the war.

Also, if the victim pays the money for RansSIRIA decryptor, he or she is presented with an article related to the civilians of Syria (https://goo.gl/qNxDFP). Also, the link to a YouTube video is provided, where a short video about the consequences of the war for the child's life.

No matter how shocking and touching this virus can be, do not fall for it. Instead of giving away your money to cybercriminals, remove RansSIRIA virus and recover your files using alternative methods.

RansSIRIA targets Brazilian PC users

Spam email is not the only ransomware carrier

Having an anti-virus installed is not sufficient protection from ransomware attacks. These malicious cyber threats can be hidden under fake software updates, infected links, JavaScript infected websites, etc. or exploit Remote Desktop services connected directly to the Internet.

Therefore, it's essential to deliberately check whether email messages that feature catchy slogans or say “Highly important” should be trusted. Zondervirus.nl[3] team recommend people to double-check the sender, verify the body text, and other factors that may reveal the email to be malicious before opening it. 

Besides, avoid visiting doubtful or illegal websites that contain pornography or other adult content. Such domains are filled with malicious pop-up ads and links clicking on which may end up with data loss.

All in all, to protect the system from ransomware attack, control your behavior online and ensure proper anti-virus protection. For this purpose, update the security tool regularly and make sure Real-time protection is enabled.

Get rid of RansSIRIA virus and recover your data

RansSIRIA removal is a must. As long as it resides on the system, you won't be able to use your PC normally due to severe slowdowns, crashes, freezes, and other technical corruption. Besides, you would not be allowed to save new files on the system, unless you want them encrypted.

To remove RansSIRIA, render a reliable anti-malware program and run a full system scan. There's no other way to get rid of it. Upon removal, take advantage of third-party software to recover your files.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.