Syrk Ransomware Removal Guide

You might not notice when Syrk Ransomware (also known as Syrk Malware) slithers in, but you are bound to notice this infection once it declares that your personal files were encrypted. It is still unclear how this malicious infection spreads, but spam emails, malicious downloaders, and RDP backdoors are likely to be exploited. Once the infection is inside the targeted system, it can do more than just encrypt files. It can disable some of the system’s utilities too to make it harder for victims to detect and remove the malicious infection. Without a doubt, deleting Syrk Ransomware is crucial, and we recommend taking care of it sooner rather than later. Unfortunately, you cannot decrypt files by eliminating the threat. If your personal files are encrypted, you need to obtain a decryptor, replace encrypted files with backup copies, or count your losses. That is what we discuss in this report. If you have questions that are left unanswered, please do not hesitate to leave them in the comments section.

When Syrk Ransomware slithers into the system, it starts making a mess right away. First of all, it creates a bunch of files. In %LOCALAPPDATA%\Microsoft it created files named +dp-.txt, -i+.txt, and -pw+.txt, but all of them were hidden, and so it was necessary to adjust the settings to show hidden files. In the %PUBLIC%\Documents folder, the infection created LimeUSB_Csharp.exe, startSF.exe, and {unique name}.exe files. In %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher we found cry.ps1 and Cipher.psm1. Without a doubt, all of these files deserve removal, and you can learn how to remove them manually using the instructions below. Besides creating files, Syrk Ransomware also terminated Task Manager, Procmon64 and ProcessHacker processes and modified DisableAntiSpyware and EnableLUA registries in the Windows Registry. This was done to disable Windows User Account Controls and Windows Defender. All of this is done to ensure that Windows security software does not detect the infection and warn about it, and so that the victims could not control the situation and perform removal.

After Syrk Ransomware got settled, it immediately started encrypting files, and the “.Syrk” extension was appended to make them more noticeable. After that, the infection launched a window with a short message and a timer. The message informed that files were encrypted and that victims had to send an email to panda831@protonmail.com to get a password that would, allegedly, decrypt the files. The same message is delivered using a file named “Readme_now.txt,” which is created on the Desktop. So, would you get the decryption password if you sent the message? That is highly unlikely. In fact, it is most likely that you would be asked to pay a ransom first. Even so, paying it is not recommended because cyber criminals are unlikely to exchange it for the decryptor. Unfortunately, if you do not take any steps, Syrk Ransomware removes files after the timer hits 0:00:00. According to our research team, the infection should delete files in three folders: %USERPROFILE%\Pictures, %USERPROFILE%\Desktop, and %USERPROFILE%\Documents.

Since you are unlikely to obtain a decryptor, we do not advise sending the message to the attackers behind Syrk Ransomware at all. Hopefully, you have backups stored online or on external drives, and you can easily replace the corrupted files. Otherwise, you have to count your losses. Losing personal files, without a doubt, is very tragic, which is why you need to take extra precautions to secure them. Implementing reliable anti-malware software to secure the operating system against dangerous threats is an important step, but it might not be enough. That is why you MUST create backups, and we suggest relying on external or online backups. Speaking of anti-malware software, it might be high time for you install it, and if you do, you will have Syrk Ransomware removed automatically. If you are not interested in this option, you will need to perform removal manually, and, hopefully, you can follow the guide below. The launcher of the infection has a random name and could be anywhere, and so if you can find and delete this file, the rest of the steps should be easy enough to follow.

How to delete Syrk Ransomware

1. Identify the {unique name}.exe file that launched the infection, right-click it, and choose Delete.
2. Launch Explorer by tapping keys Win+E on the keyboard at the same time.
3. Enter %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher into the box at the top.
4. Right-click and Delete the files named Cipher.psm1 and cry.ps1.
5. Enter %PUBLIC%\Documents into the box at the top.
6. Right-click and Delete the files named LimeUSB_Csharp.exe, startSF.exe, and {unique name}.exe.
7. Enter %LOCALAPPDATA%\Microsoft into the box at the top.
8. Go to View, click Options, move to the View tab, and choose Show hidden files, folders, and drives.
9. Right-click and Delete the files named +dp-.txt, -i+.txt, and -pw+.txt.
10. Exit Explorer and then move to the Desktop.
11. Right-click and Delete the file named Readme_now.txt.
12. Empty Recycle Bin to eliminate all malicious files completely.
13. Install a legitimate malware scanner and use it to perform a complete system scan.