Sicck Ransomware Removal Guide

Do you know what Sicck Ransomware is?

Sicck Ransomware is not some sick joke played on you by cyber attackers. It is a serious and real threat that can basically destroy your personal files. Once the infection corrupts files, the data is encrypted, and deciphering the key used is practically impossible. The only ones who might have the decryption key are the creators of the ransomware, and even though they promise to give it away if a ransom is paid, our research team does not recommend doing it. Even if cyber attackers decrypt three files for free as promised, you should not expect them to help you out. If you look for tools that can decrypt files, be careful so as not to install malware. If you keep reading, you will learn more about the infection, as well as how to delete it manually. Note that the removal of Sicck Ransomware is exceptionally important!

Although Sicck Ransomware functions like most other file-encrypting infections – a few other examples are blacklist@clock.li Ransomware or GusLocker Ransomware – our research team informs that this threat also has the capabilities of spreading across the network using the Shadow Brokers SMB exploit. This exploit, most famously, was used by attackers behind the infamous WannaCry Ransomware. Once one vulnerable system on the network is infected, the infection scans it to look for other vulnerable systems that could be affected as well. It is important to note that Shadow Brokers SMB exploit can be used successfully only on outdated Windows operating systems. If you update your system regularly, you should avoid the invasion of malware and the removal issues that come with it.

If Sicck Ransomware is executed successfully, it drops a file to the %HOMEDRIVE% directory. In our case, we needed to remove a file named “Sicck.exe,” but it is possible that you would encounter an entirely different name. If you do not delete this file, the encryption of files begins immediately, and all corrupted files’ names are modified. “[sicck@protonmail.com]” is added at the front, and “.sicck” is added at the end (e.g., document.doc is turned into [sicck@protonmail.com]document.doc.sicck). After encryption, Sicck Ransomware launches “How__to__decrypt__files.txt” (created in %HOMEDRIVE% as well). This TXT file displays the same ransom note in three different languages: English, Chinese, and Korean. The gist of it is that the victim has to pay 1 Bitcoin (at the time of analysis, this was around 4000 USD) for a decryptor. The note instructed sending that to 3QxVmxcyVcqDpuVJ8QTSy83BbWvZvCoYcV, a Bitcoin Wallet that we found to be empty. The message also instructed to send a unique “HardWareID” to sicck@protonmail.com or sicck@airmail.cc along with three files.Sicck Ransomware Removal GuideSicck Ransomware screenshot
Scroll down for full removal instructions

As we discussed earlier, the creator of Sicck Ransomware is unlikely to help with the decryption of files, which is why we do not recommend emailing them or paying a ransom requested by them. Instead, you should focus on the removal of the infection. Can you delete Sicck Ransomware manually? That depends on whether or not you can find the launcher. Its name and location are random. Of course, considering that the threat is likely to spread via spam emails, and that users are likely to execute it itself, you might be able to find it. If you are not able to perform removal manually, do not hesitate to use an anti-malware program. It will not only erase the infection but will also protect the system thereafter.

Remove Sicck Ransomware from Windows

  1. Find the {unknown name}.exe launcher of the ransomware and Delete it.
  2. Launch Explorer by tapping Win+E keys.
  3. Enter %HOMEDRIVE% into the field at the top of the window.
  4. Delete the files named How__to__decrypt__files.txt and Sicck.exe (this one could be different).
  5. Once you Empty Recycle Bin, perform a full system scan using a reliable malware scanner.

In non-techie terms:

If your Windows operating system was attacked by Sicck Ransomware and the files stored on it were successfully encrypted, you might feel stuck. There are no legitimate decryptors that could help – at least there weren’t at the time of research – and the only option you are offered is to pay a ransom in return for a decryptor. Paying the ransom is a huge gamble, and we do not recommend taking it. What we recommend doing is figuring out how to delete Sicck Ransomware and protect your operating system. We suggest using anti-malware software. It will clear infections and guarantee protection against them in the future. As for the files, you can recover them only if you have them backed up, which is why we also suggest backing up all important files from this point on.