SuchSecurity Ransomware Removal Guide (Restore Your Files From The Virus)

SuchSecurity Ransomware is a a virus derived from the EDA2 malware family, read our in-depth removal guide to restore your PC.

SuchSecurity Ransomware Description

The SuchSecurity Ransomware is a newly discovered malware which appears to be based on the EDA2 open-source project. This is one of the most famous and widely used virus threats with a very high infection rate.

The ransomware follows the basic behaviour patterns of encrypting target user data with its encryption engine. All identified malware samples use a strong cipher which makes recovery impossible without the use of a quality anti-spyware solution. What’s more

Depending on the configuration of the ransomware it may feature additional components (modules) which can include the following:

  • Stealth Protection – This feature detects of there are any running anti-virus or security solutions installed on the host system. If their signatures are detected by the virus engine the malware threat deletes itself to evade any possible alarms.
  • Registry and Process Monitoring & Modification – Complex viruses can change the registry values and settings of the compromised hosts. Such actions can modify essential components and features of the computer which can either limit the actions of the victim or even cause damage to the hardware itself.
  • Persistence – Upon succesful installation the malware can set up a persistent environment which can make it extremely difficult to remove using manual means.
  • Additional Payload Infection – The SuchSecurity ransomware can potentially introduce additional viruses to the infected computer by downloading them from remote C&C servers.

Upon infection the encryption engine is engaged. The following file type extensions are affected by the internal module:

.asp, .aspx, .csv, .doc, .docx, .html, .jpg, .mdb, .odt, .php, .png, .ppt, .pptx, .psd, .sln, .sql, .txt, .xls, .xlsx, .xml.

All affected files receive the .locked extension. The initial security analysis shows that this particular virus is created in a way to inflict maximum damage on services an applications which rely on database servers such as Amazon RDS, MySql, MariaDB, DB2 and Oracle.

Once the encryption process is complete the affected computer’s wallpaper is changed to a meme image of a dog which displays “SUCH SECURITY MANY HAXX”. The encryption engine uses the combination of the AES and RSA ciphers. AES is used to encrypt the target user files and RSA is used to process the decryption key itself. It is then sent to the remote C&C servers for storage.

Some experts believe that the virus might be a test version as the criminals behind it have not provided any ransomware note indicating a ransom fee request. The virus also connects to a remote host (possibly a C&C server).

Most quality anti-spyware solutions have already added the threat’s signature to their updated definition lists.

SuchSecurity Ransomware Distribution

The SuchSecurity ransomware has already infected a number of computers worldwide. As it is a new ransomware, having been detected in the beginning of March 2017, we cannot yet judge accurately if it targets specific geographic regions.

We suspect that the malware creators behind it use the most popular infection strategies:

  • Download Portals and P2P Networks – They are popular places for infecting users with different kinds of viruses. Hacker-controlled download sites are a popular spot for placing infected software installers which bundle the malicious code with legitimate freeware or trial applications, games and utilities. BitTorrent trackers are another popular source.
  • Email Spam Campaigns – One of the most often used infection methods is the use of email spam campaigns which utilize social engineering techniques to lure the targets into infecting themselves with the malicious virus. In the last few months infected Microsoft Office documents have become one of the most widely ransomware carriers. They utilize warnings and prompts which make the victims interact with dangerous macros that deliver the payload to the host system. In other case dangerous links are added to the body of the text which resembles legitimate-looking password resets or other messages that may be of user interest.
  • Dangerous Redirects, Browser Hijackers & Scripts – Dangerous scripts such as browser hijackers and ad networks can deliver the SuchSecurity Ransomware to target computers. The dangerous browser extensions modify the installed web browsers (Google Chrome, Mozilla Firefox and Internet Explorer) to redirect to dangerous hacker-controlled sites. Changes include the default search engine, home page and new tabs page. Ad networks and scripts inserted in hacker-controlled sites also link to the dangerous executable files.
  • Direct Attacks & Exploit Kits – The virus can be introduced as a secondary payload in an automated exploit kit attack.

Summary of the SuchSecurity Ransomware


Name
SuchSecurity Ransomware

File Extensions
.locked

Ransom
Unknown

Easy Solution
You can skip all steps and remove SuchSecurity Ransomware ransomware with the help of an anti-malware tool.

Manual Solution
SuchSecurity Ransomware ransomware can be removed manually, though it can be very hard for most home users. See the detailed tutorial below.

Distribution
Spam Email Campaigns, malicious ads & etc.

SuchSecurity Ransomware Ransomware Removal

STEP I: Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently.

    1) Hit WIN Key + R

Windows-key-plus-R-button-launch-Run-Box-in-Windows-illustrated

    2) A Run window will appear. In it, write “msconfig” and then press Enter
    3) A Configuration box shall appear. In it Choose the tab named “Boot
    4) Mark “Safe Boot” option and then go to “Network” under it to tick it too
    5) Apply -> OK

Or check our video guide – “How to start PC in Safe Mode with Networking

STEP II: Show Hidden Files

    1) Open My Computer/This PC
    2) Windows 7

      – Click on “Organize” button
      – Select “Folder and search options
      – Select the “View” tab
      – Go under “Hidden files and folders” and mark “Show hidden files and folders” option

    3) Windows 8/ 10

      – Open “View” tab
      – Mark “Hidden items” option

    show-hidden-files-win8-10

    4) Click “Apply” and then “OK” button

STEP III: Enter Windows Task Manager and Stop Malicious Processes

    1) Hit the following key combination: CTRL+SHIFT+ESC
    2) Get over to “Processes
    3) When you find suspicious process right click on it and select “Open File Location
    4) Go back to Task Manager and end the malicious process. Right click on it again and choose “End Process
    5) Next you should go folder where the malicious file is located and delete it

STEP IV: Remove Completely SuchSecurity Ransomware Ransomware Using SpyHunter Anti-Malware Tool

Manual removal of SuchSecurity Ransomware requires being familiar with system files and registries. Removal of any important data can lead to permanent system damage. Prevent this troublesome effect – delete SuchSecurity Ransomware ransomware with SpyHunter malware removal tool.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

STEP V: Repair Windows Registry

    1) Again type simultaneously the Windows Button + R key combination
    2) In the box, write “regedit”(without the inverted commas) and hit Enter
    3) Type the CTRL+F and then write the malicious name in the search type field to locate the malicious executable
    4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys

Further help for Windows Registry repair

STEP VI: Recover SuchSecurity Files

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

How To Restore SuchSecurity Files

    1) Use present backups
    2) Use professional data recovery software

      Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.
    3) Using System Restore Point

      – Hit WIN Key
      – Select “Open System Restore” and follow the steps


restore-files-using-system-restore-point

    4) Restore your personal files using File History

      – Hit WIN Key
      – Type “restore your files” in the search box
      – Select “Restore your files with File History
      – Choose a folder or type the name of the file in the search bar

    restore-your-personal-files-using-File-History-bestecuritysearch

      – Hit the “Restore” button

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Avatar

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *