5ss5c ransomware (Removal Instructions) - Recovery Instructions Included

by Jake Doevan - - 2020-01-16 | Type: Ransomware

5ss5c virus Removal Guide

Description Quick solution Instructions Prevention

What is 5ss5c ransomware?

5ss5c ransomware is file encrypting malware that primary targets Chinese users via EternalBlue vulnerability

5ss5c ransomware 5ss5c ransomware is a file locking malware that is usually spread via EternalBlue vulnerability

5ss5c ransomware is crypto-malware that was first spotted in the wild by security researcher @jishuzhain on January 12, 2020. Initially, the sample tracked by experts was labeled as “unknown,” although looking further, it became clear that the virus derived from a relatively old family that uses RaaS (ransomware-as-a-service)^[1] scheme – Satan/DBGer ransomware. As it turns out, malware authors have been working on this new project since at least November 2019, and it is still in an active development stage. Upon infiltration, the downloader will download three modules, which include Mimikatz open-source software, a password stealer, EternalBlue exploit (it was patched by Microsoft back in March 2017)^[2], and the main 5ss5c ransomware payload.^[3]

5ss5c virus uses the AES encryption algorithm to encrypt only compressed files located on the system, unlike most other ransomware that targets all personal files, it focuses on encrypting only particular 32 file types – mostly archives, documents, and databases. Due to this, the danger level of malware is slightly diminished, although it can still result in major losses. _如何解密我的文件_.txt ransom note is also dropped which is written in Chinese and demands 1 Bitcoin for an allegedly working 5ss5c ransomware decryptor. For negotiation purposes, hackers provide 5ss5c@mail.ru email.

Name	5ss5c ransomware
Type	Cryptovirus, file locking malware, RaaS (ransomware-as-a-service)
Origin	Satan ransomware/DBGer ransomware
Targets	Chinese users
Distribution	The malware is known to be propagated via the already-patched EternalBlue vulnerability, although it does not mean that hackers are not or will not use other methods, such as spam emails, fake updates, software cracks, RDP connections, etc.
Cipher	AES encryption algorithm is used to lock databases, MS Office files, archives, and a few other file types
File extension	Each of the encrypted files is appended with .5ss5c extension, although further file modifications are performed e.g., a “data.zip” is transformed into “[5ss5c@mail.ru]data.zip.JAVRIXREHPPDEX8GL1U94XRS04TVJ59C7LT3E2MY.5ss5c”
Ransom note	Ransom note is written inside a text file _如何解密我的文件_.txt, which translates to _How to decrypt my files_.txt
Contact info	Cybercriminals provide 5ss5c@mail.ru as the main contact email for communication purposes
Ransom size	Victims are asked to pay 1 BTC for decryption software, which doubles after 48 hours
Related files	down.txt, cpt.dat, cpt.exe, c.dat
File decryption	The only secure method o restore encrypted files is to use backups, although there is a chance of recovering data via third-party software
Malware removal	Use reputable anti-malware software that can detect all malicious files and eliminate them (sometimes requires accessing Safe Mode)
System fix	Ransomware infection can result in system instability and continual crashes after its termination – avoid such problems with PC repair software FortectIntego

While the malware does not encrypt all personal files, there are no known decryption tools currently available. Therefore, it is best to retrieve the lost data via backups, and then proceed with 5ss5c ransomware removal. For that, users should employ anti-malware software that recognizes the malicious program as follows:^[4]

Trojan.DownLoader32.46808
Trojan:Win32/Wacatac.B!ml
Mal/Generic-S
Win32/Filecoder.NZY
Gen:Variant.Ulise.85367
Win32:Trojan-gen
Artemis!853358339279, etc.

Once the infection process of 5ss5c virus is triggered, it downloads the main malware executable cpt.dat, which is then placed into %Temp% folder, which loads and inserts multiple of other files throughout the system. Additionally, malware modifies Windows registry at \SOFTWARE\Microsoft\Windows\CurrentVersion\Run in order to be launched with every Windows reboot. Just as its predecessors, 5ss5c ransomware will terminate all services and processes related to databases.

5ss5c ransomware file encryption process usually lasts just a moment, although the length of the process may increase depending on the number of files present on the machine, as well as its connected networks. However, it will also exclude certain files via a predetermined list. Malware will encrypt the following file types:

7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip

5ss5c ransomware is a type of virus that stems from Satan/DBGer ransomware family

Most ransomware viruses target all personal files on the host system to result in maximum losses and the higher need of victims paying the ransom. However, 5ss5c ransomware developers did not go for files that most regular users find the most important, such as pictures or videos – which suggests that malware developers are rather focusing on infecting companies that use databases and VMware-related extensions.

The affected files not only receive a .5ss5c extension but are also modified in other ways – an example of the encrypted file includes:

[5ss5c@mail.ru]data.zip.JAVRIXREHPPDEX8GL1U94XRS04TVJ59C7LT3E2MY.5ss5c

After file encryption is complete, 5ss5c ransomware will contact a Command & Control server, and also use hardcoded credentials downloaded previously to connect to an SQL database. Additionally, Mimikatz and a password/credential stealing module provide additional functionality to malicious actors, although it proves to be more devastating for the infected hosts.

To victims that users are aware of what happened to some data on their systems, a ransom note titled _如何解密我的文件_.txt is dropped into C: drive, which translates to “How to decrypt my files_.txt” from Chinese. The contents of the message are as follows [translated]:

Some files have been encrypted
If you want to retrieve the encrypted file, send (1) Bitcoin to my wallet
If the payment is not completed within 48 hours from the start of encryption, the amount of decryption will double.
If you have other questions, you can contact me by email
Your decryption credentials are:

Email: [5ss5c@mail.ru]

As evident, crooks claim that the ransom size increases to 2 BTC after 48 hours of the initial infection. However, we strongly advise against contacting crooks and paying for the 5ss5c ransomware decryptor, as a chance of getting scammed remains. In other words, you might lose not only your files but also money that hackers get to keep.

Instead, you should backup all the locked files, remove 5ss5c ransomware, and then use alternative methods for data recovery if backups are not available. Note that you will have to access Safe Mode to get rid of the malware. In case your Windows machine struggles after ransomware termination, we suggest scanning it with FortectIntego in order to fix virus damage and restore normal system functions.

EternaBlue flaw still remains an excellent choice to malware authors

Security researchers determined that 5ss5c ransomware is spread via the NSA's EternalBlue vulnerability (also known by a CVE code CVE-2017-0144)^[5] which exploits Microsoft's Server Message Block (SMB) protocol. Once NSA found out that the vulnerability has been leaked by Shadow Brokers, it had no coice but to inform Microsoft about it, and the company patched the flaw immediately. Despite that, many systems remained outdated and vulnerable, which resulted in the notorious WannaCry outbreak when 200,000 computers belonging to regular users and government institutions/organizations were compromised and data inside locked. The same flaw was later used to proliferate NotPetya ransomware, which resulted in millions of dollars of damages worldwide.

Despite that, there are numerous machines that are still not patched for the EternealBlue due to various factors, which makes the flaw a valid attack vector. It is worth noting that there are countless vulnerabilities that are constantly being exploited by malicious actors, and most of them can be mitigated with a timely application of security updates.

5ss5c ransomware runs a background task and modifies Windows registry to ensure smooth operation and data encryption process

Nevertheless, it does not mean that threat actors behind 5ss5c ransomware cannot use other methods for malware delivery – so industry experts always advise use comprehensive security measures, such as employing high-end anti-malware software, using strong passwords/password managers, adequately protecting Remote Desktop connections, enabling Firewall, implementing ad-blockers, never downloading pirated/cracked software,^[6] and, most importantly, backing up all the important data on external or virtual storage.

Remove 5ss5c ransomware from your system and patch software vulnerabilities

Quite often, ransomware victims are completely lost on what to do after the infection, as they most likely never heard about file locking malware, or the understanding is very much vague. 2-spyware exists in order to guide users with the help of 5ss5c ransomware removal instructions, as well as further actions after the infection is terminated.

Therefore, if you found your data encrypted by 5ss5c virus, do not panic, and proceed with the following:

Ensure that you have access to this article, as well as the instructions listed below via a different device.
Use a USB flash, external HDD, DVD, or any other external device to copy the encrypted files (you can also use cloud-based services like Google Drive) – in case this is not done, all encrypted files might get corrupted as soon as you remove 5ss5c ransomware.
Reboot your computer in Safe Mode with Networking, as explained in the instructions below.
Download and install powerful anti-malware software from the official vendor website or use a built-in Microsoft Defender, and perform a full system scan.
Reboot to normal mode, connect to your backups and copy the data over (if no backups are available – check the recovery section below).
Patch your system with the latest security updates by right-clicking on Start and going to Settings > Update & Security > Check for updates. If you are using Windows 7, go to Start > Control Panel > System and Security > Change settings, under Important Updates pick the Install updates automatically (recommended) option.

Offer

do it now!

Download
Fortect Happiness
Guarantee Download
Intego Happiness
Guarantee

Compatible with Microsoft Windows Compatible with macOS

What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.

Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Fortect review | Terms of Use | Privacy policy | Refund Policy | Uninstall guide

Alternative Software

Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.

Download SpyHunter 5 Review »

Malwarebytes

Alternative Software

Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Download Combo Cleaner Review »

Getting rid of 5ss5c virus. Follow these steps

Manual removal using Safe Mode

If security software is not working due to the infection, you should go to Safe Mode with Networking as explained below:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment.

Windows 7 / Vista / XP

Click Start > Shutdown > Restart > OK.
When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
Select Safe Mode with Networking from the list.

Windows 10 / Windows 8

Right-click on Start button and select Settings.
Scroll down to pick Update & Security.
On the left side of the window, pick Recovery.
Now scroll down to find Advanced Startup section.
Click Restart now.
Select Troubleshoot.
Go to Advanced options.
Select Startup Settings.
Press Restart.
Now press 5 or click 5) Enable Safe Mode with Networking.

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
Click on More details.
Scroll down to Background processes section, and look for anything suspicious.
Right-click and select Open file location.
Go back to the process, right-click and pick End Task.
Delete the contents of the malicious folder.

Step 3. Check program Startup

Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
Go to Startup tab.
Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

Type in Disk Cleanup in Windows search and press Enter.
Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
Scroll through the Files to delete list and select the following:

Temporary Internet Files
Downloads
Recycle Bin
Temporary files
Pick Clean up system files.
You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

%AppData%
%LocalAppData%
%ProgramData%
%WinDir%

After you are finished, reboot the PC in normal mode.

Remove 5ss5c using System Restore

Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
1. Click Start → Shutdown → Restart → OK.
2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
3. Select Command Prompt from the list
Windows 10 / Windows 8
1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
2. Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
1. Once the Command Prompt window shows up, enter cd restore and click Enter.
2. Now type rstrui.exe and press Enter again..
3. When a new window shows up, click Next and select your restore point that is prior the infiltration of 5ss5c. After doing that, click Next.
4. Now click Yes to start system restore.
Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that 5ss5c removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove 5ss5c from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by 5ss5c, you can use several methods to restore them:

Recover your data

Data Recovery Pro option might be useful

The less you use your computer after 5ss5c virus infection, the bigger chances you recover at least some of your files via recovery tools like Data Recovery Pro.

Download Data Recovery Pro;
Follow the steps of Data Recovery Setup and install the program on your computer;
Launch it and scan your computer for files encrypted by 5ss5c ransomware;
Restore them.

You have Windows Previous Versions feature for your disposal

This method is only functional if you had System Restore enabled prior to malware attack, and only works for individual files.

Find an encrypted file you need to restore and right-click on it;
Select “Properties” and go to “Previous versions” tab;
Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might be the answer in some cases

If 5ss5c ransomware failed to delete automatic Windows backups, you have a high chance of retrieving all the lost data with ShadowExploerer.

Download Shadow Explorer (http://shadowexplorer.com/);
Follow a Shadow Explorer Setup Wizard and install this application on your computer;
Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryption software is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from 5ss5c and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.

Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.

About the author

Jake Doevan - Computer technology expert

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References

^ Ransomware-as-a-Service (RaaS): How It Works. Tripwire. The State of Security.
^ Microsoft Security Bulletin MS17-010 - Critical. Microsoft. Docs.
^ Bart. Satan ransomware rebrands as 5ss5c ransomware. Security Boulevard. Security Bloggers Network.
^ ca154fa6ff0d1ebc786b4ea89cefae022e05497d095c2391331f24113aa31e3c. Virus Total. File and URL analysis.
^ CVE-2017-0144 Detail. NVD. National vulnerability database.
^ Ioana Bistriceanu. Dangers of using pirated software. Bitdefender. Security blog.