5ss5c Ransomware

5ss5c Ransomware is an infection that is new, but it appears to have been created using another well-known threat, known as Satan Ransomware. The new variant of the infection, of course, has unique traits, and it might be most important that it appears to have been created to target the Chinese Windows users specifically. The message that follows this infection is in Chinese only, and it cannot be read unless the language is installed. Just like most threats of this kind, the ransomware is likely to spread via spam emails, malicious downloaders, and RDP systems. Without a doubt, if you still have time to defend your operating system, you want to install trusted anti-malware software instantly. If your system was infected already, and your files were encrypted, it is not enough to remove 5ss5c Ransomware to get them back. In fact, it is possible that recovering the encrypted files is impossible. If you want to learn important information about the infection and its removal, please continue reading.

According to our malware analysts, 5ss5c Ransomware has very specific tasks. First of all, it can enumerate all running services and kill some of them, including emagent.exe, fdlauncher.exe, fdhost.exe, mysqld-nt.exe, nmesrvc.exe, omtsreco.exe, oracle, oracle.exe, perl.exe, reportingservicesservice.exe, sqlagent.exe, sqlservr.exe, sqlwriter.exe, and tnslsnr.exe. It is also very deliberate when it comes to the encryption of data. It does NOT encrypt files in certain folders. Some of the strings that the infection looks for in the names of these folders are windows, microsoft, python, boot, common files, internet explorer, windows defender, or temp. It also evades all files with .BIN, .BMP, .CAB, .CHM, .DAT, .DLL, .EXE, .ISO, .LIB, .LOG, .MSI, .OCX, .PBK, .POL, .SDI, .SYS, .TMP, AND .WIM extensions. Unfortunately, 5ss5c Ransomware only spares system files, and all encrypted files are corrupted using a complex encryption algorithm. Afterward, you should find the “[5ss5c@mail.ru]” prefix and “.{40 random symbols}.5ss5c” extension appended to the encrypted files’ names. For example, a file named “document.doc” would be presented as “[5ss5c@mail.ru]document.doc.{40 random symbols}.5ss5c” afterward. Unfortunately, you cannot restore and read the files by removing the prefix and extension.

Next to the encrypted files, 5ss5c Ransomware drops a file named “_如何解密我的文件_.txt.” If Chinese is not installed on your operating system, the name of the file and the message inside should look like gibberish. The message is used to inform the victim that they have to send 1 Bitcoin to an unlisted Bitcoin wallet to ensure that all files are decrypted. 1 BTC, at the time of research, was $9,000 US Dollars or 63,000 Yuan, and that is a huge ransom. The message, however, does not look legitimate because the Bitcoin wallet address is not disclosed, and it is not exactly clear what the attackers are offering in return for the money. The message also instructs the victims of 5ss5c Ransomware to email 5ss5c@mail.ru, but we do not recommend it because there is a possibility that cybercriminals could use this link to scam victims and expose them to new malware files, and as you now know, ransomware like this one can be spread using misleading spam emails. Paying the ransom is not a good idea as well because the attackers are unlikely to offer anything useful in return. If you want to take a risk, do that only after you think about it long and hard. In the best-case scenario, you will be able to replace the encrypted files using backups.

If you do not have backups of your personal files stored somewhere safe, paying the ransom requested by the attackers behind 5ss5c Ransomware might seem like the only option you’ve got, but is that a real option? Our researchers do not think that it is because the attackers are unlikely to help you regardless of what you do and what demands you obey. You should take a moment to think things through, but you should not wait to delete 5ss5c Ransomware. It might be difficult to remove the infection if its launcher cannot be found – which, unfortunately, is something we cannot help you with – but a legitimate anti-malware tool would have no issue removing this threat automatically. We strongly recommend installing such a tool because it can instantly clean and protect your operating system, and reliable protection is necessary if you want to keep new infections away from your computer and your personal files.

5ss5c Ransomware Removal

1. Delete recently downloaded suspicious files.
2. Delete the ransom note file named _如何解密我的文件_.txt.
3. Tap Win+E keys to access Windows Explorer.
4. Enter %PROGRAMDATA% into the field at the top.
5. Delete the folder named 5ss5c_token.
6. Launch Run (tap Win+R) and enter regedit into the dialog box.
7. In Registry Editor, move to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
8. Delete the value named 5ss5cStart.
9. Exit Registry Editor and then Empty Recycle Bin.
10. Perform a full system scan to check for leftovers using a trusted malware scanner.