Suri Ransomware - How to remove

Suri is the name of an extremely dangerous computer virus. Recently discovered by MalwareHunterTeam and published on Twitter, this infection is classified as ransomware and it can cause severe damage to your personal files or completely paralyze your entire operating system, making your computer unusable.


It seems that this particular infection is targeted to users that speak Italian because all of the texts are in Italian. It also might be that developers of this ransomware are from Italy and they didn’t bother to translate their message to English.

However, even if you don’t speak in Italian, this virus might hit you. It would be even more frustrating because you wouldn’t be able to understand what is this all about.

If this has happened to you, we are here to help – there are ’alternative without actually paying the ransom that they are requesting. In this article, we will answer the question of how to remove Suri virus and also restore your personal files that have been encrypted.

How Suri Virus Can Lock Your Files

suri ransomware remove

The operation scheme of this infection is rather typical. Other ransomware viruses like .NEWRAR Files VirusBGTX virus, or Godsomware are also operating the same, so it’s not that difficult for us to get a feel of how it works.

First of all, malicious files of the Suri ransomware needs to be uploaded to your computer. To do that, cyber criminals employ various distribution techniques that are not legal as well. Once that is done, the encryption process starts automatically.  They begin with scanning all the files that are stored on your hard drive to identify what can be encrypted. When that’s done they run a complicated and strong encryption mechanism that using special cryptography puts a lock on those files.

All your personal files like text documents, programs, images, audio and video files are then encrypted. They get unique .SLAV extension at the end – it marks that the file is locked and you won’t be able to open it. Then they automatically generate a unique ’decryption – it is a code of random letters and digits that lets to reverse the encryption process and decrypt your files. Unfortunately, cyber criminals behind Suri ransomware store this key on a remote server and in order to access it, you will be asked to pay a ransom.

Also, after this process, a new window will pop up and you desktop image will be changed to a message from crooks. Again, it is in Italian:

Ciao utente,
tutti i tuoi file personali sono stati cryptati.Non si torna più indietro ormai.
Riavviando o altro non risolvi nulla. Ora forse ti chiederai come fare.
Semplice! Invia una somma di 100 Euro in bitcoin all’indirizzo sottostante.

Tgliendomi condannerai tutti i tuoi file.
Perché ? Solo io sono in grado di decryptare tutti tuoi file e solo io ho la
chiave pubblica.

Dopo aver pagati che succede ?
Tutti i tuoi file personali verrano decryptati e io mi auto elimino.

The message translated into English by automatic online translator:

Hello user,
all your personal files have been encrypted.  Don’t go back any further now.
Restarting or else you will not solve anything. Now maybe you’ll wonder how to do it.
Simple! Send a sum of 100 euros in bitcoins to the address below.

You will condemn all your files to me.
Because ? Only I am able to decrypt all your files and only I have the
public key.

After paying what happens?
All your personal files will be decrypted and I will delete them.

As you can see, they want 100 euros in an exchange to the decryption key. Even though it’s a relatively low amount (compared to other ransomware infections), we suggest not to do that. The code of this virus is not flawless and cyber security researchers were able to develop a free decryption tool that will help you solve this problem. So there is definitely no point in paying the ransom and supporting cyber criminals this way.

How To Decrypt Files Locked by Suri

suri ransom note

There is one thing you must do before unlocking your files that have been compromised by Suri – you must remove the virus itself. If you simply restore your files and just leave the virus to sit on your system, it will repeat the encryption right away and it will do it as long as you don’t remove it from the infected system completely.

Ransomware is a complicated virus – you can get rid of adware or browser hijackers manually, but in this case, it’s not going to work. That’s why you should scan your computer with a top class anti-malware software – Spyhunter. It is proven to be highly effective fighting against ransomware viruses, so it will take no time for it to detect and actually remove all the files of Suri virus.

Then, you should retrieve your files. As we have already mentioned, there is a free decryption tool available online. It was originally designed to Stupid ransomware, but since both Stupid and Suri are very much alike, it should work in this case too. Just use it to remove .SLAV encryption lock from all of your files and continue to use them.

If you need a further and more detailed explanation on how to deal with this infection – read the instructions below.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,



How to recover Suri Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Suri Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Suri Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Suri Ransomware. You can check other tools here.  

Step 3. Restore Suri Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Suri Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Suri Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Leave a Reply

Your email address will not be published. Required fields are marked *