System Ransomware Removal Guide

Do you know what System Ransomware is?

System Ransomware looks like a new variant of a malicious application known as CryptoMix Ransomware. Same as the previous version, it encrypts user’s data and then shows a ransom note saying the user can decipher it, but to do so, it is said he has to contact the malware’s developers. Nonetheless, we do not recommend emailing them, because soon afterward you should receive instructions on how to pay a ransom. The worst part is, the cyber criminals behind System Ransomware may claim they can guarantee you will get your data back; however, in reality, there are no guarantees as such people might act unpredictably. Therefore, provided you do not want to put your savings at risk, we encourage you to ignore the hackers and eliminate the malicious application. Those who would like to delete it manually should follow the removal guide available below this article. Later on, if the user has any backup copies, he could use them to restore data. For more information about the threat, we invite you to take a look at the rest of our article.

It is most likely that a computer could get infected with System Ransomware after the user launches some unreliable file, for example, a suspicious email attachment, software installer, update, etc. Naturally, users who would not like to encounter such a threat again should be more cautious with data received via Spam emails, downloaded from torrent and other untrustworthy file-sharing web pages, etc. There are also similar malicious applications that get in the system through unsecure RDP connections, and so on. Thus, besides being cautious, we recommend replacing unsecure passwords, updating outdated operating system or other critical software. Additionally, it would be smart to install a reputable antimalware tool that could guard the system against various threats.

Even though our computer security specialists were unable to obtain a fully working sample of System Ransomware, we still know a few possible locations where it might settle in after the user opens its launcher. As you see the malware it was based on (CryptoMix Ransomware) can create a copy of itself in the C:\ProgramData, %ALLUSERSPROFILE% and %ALLUSERSPROFILE%\Application Data directories. Plus, to make the computer relaunch the threat after each restart the malicious application could create entries in several Startup locations, for example, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

What happens next is the malware should start encrypting user’s data, for example, it might damage various documents, photographs, images, videos, music files, archives, and so on. Our computer security specialists report the threat should mark each enciphered file with .System extension. It means all affected files might have it at the end of their titles, for example, project.docx.System, family_photo.jpg.System, etc. After marking your files this way, System Ransomware should drop a document called _Help_Instruction.txt. The text inside of it is known as ransom note since it contains instructions telling what the user should do to get his data back.

In this case, the hackers do not mention anything about paying the ransom as they only ask to write an email. Still, there is no doubt the email from them should contain such demands; after all, most of such threats are created for money extortion. The bad news is there is a possibility the malicious application’s creators could scam the user by taking his money and not delivering the promised decryption tools. If you would not like to end up in such a situation, we advise you not to risk your savings and eliminate the malware instead. To get rid of System Ransomware manually, you could follow the removal guide available below as it will explain the process in detail. As for users who would like to leave this task to an antimalware tool, we recommend picking a reputable tool from trustworthy creators.

Erase System Ransomware

  1. Press Ctrl+Alt+Delete.
  2. Go to the Task Manager.
  3. Find a suspicious process related to the malware.
  4. Select this process and press the End Task button.
  5. Exit Task Manager.
  6. Press Windows Key+E.
  7. Check the listed folders separately:
    %TEMP%
    %USERPROFILE%\desktop
    %USERPROFILE%\downloads
  8. Search for a malicious file that got the system infected.
  9. Right-click the threat’s launcher and press Delete.
  10. Navigate to:
    %ALLUSERSPROFILE%
    %ALLUSERSPROFILE%\Application Data
    C:\ProgramData
  11. Look for suspicious files (e.g., BC0EBCF2F2.exe), right-click them and press Delete.
  12. Then exit File Explorer.
  13. Press Windows Key+R, type Regedit and click OK.
  14. Find the listed locations:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  15. Search for value names belonging to the threat, right-click them and select Delete.
  16. Exit Registry Editor.
  17. Locate data called _Help_Instruction.txt, right-click it as well and select Delete.
  18. Exit File Explorer.
  19. Empty Recycle bin.
  20. Restart the Computer.

In non-techie terms:

System Ransomware can cause a lot of trouble if the user is not prepared for such infections. As you see it damages user’s files in a way they cannot be recovered unless the user made backup copies of encrypted data before the malware settled in. The other way to get such files back is to obtain specific decryption tools. The only problem is they are in possession of the hackers behind this threat and in exchange they could ask for a huge payment. Not to mention, the user could get tricked since there are no guarantees the malicious application’s developers will hold on to their word. For this reason, we do not recommend dealing with them. If it looks too risky for you as well, we advise you not to take any chances and erase the threat with the removal guide available a bit above this paragraph or a reputable antimalware tool of your preferences.