Home / Spyware Help / Styx Ransomware Removal Guide

Styx Ransomware Removal Guide

by 0 Comments

Do you know what Styx Ransomware is?

A new filename extension .styx appended to your pictures, documents, slides, music, and videos is a clear sign that Styx Ransomware has infiltrated your computer successfully. It is not an ordinary program. Instead, it is a threat that belongs to the family of crypto-malware. It has been developed by cyber criminals in .NET so that it would be easier for them to obtain easy money. It goes to encrypt users’ files the first thing, which is why files can no longer be accessed following its successful entrance. To make it impossible for users to restore them, it not only uses a strong encryption algorithm (AES-256) to encrypt data, but also deletes all Shadow Volume Copies of files by executing the following command: vssadmin.exe delete shadows /all /quiet. We know how badly you need your files back, but we cannot let you pay money for the decryption of your data because the chances are high that you will not get anything from cyber criminals even if you send the exact amount of money indicated in the ransom note to them. What you need to do for sure is to delete this threat from your computer so that it could not cause more problems for you. Luckily, Styx Ransomware works from the place it has been launched and does not create any additional files on compromised machines, so its removal should not be a challenge for you. Of course, if you have never erased malware yourself before, you should still read this report till the end before you start the ransomware removal procedure.

Styx Ransomware does not differ much from older ransomware infections analyzed by our malware researchers, but it still has one unique feature. The study has shown that it collects some information about victims before encrypting their files. These are details about the processor, hard drive, motherboard, etc. On top of that, it tries to establish communication with its C&C server. In our case, it was mfbhwqtjkcis.ru (IP address: 195.14.105.12). Once the communication is established, it starts encrypting files found on the compromised machine. As mentioned in the 1st paragraph, these are pictures, videos, music, documents, and more. The .styx filename extension is not the only new thing you will notice after its entrance. It also drops ransom notes in .txt and .html formats to several different directories, including %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup, %USERPROFILE%\Desktop, %USERPROFILE%\Pictures, and %APPDATA%. These files explain users why they can no longer open their personal files. Also, users find out that they could decrypt their files only if they purchase the decryption key that costs 300 USD. Do not even think about transferring money to cyber criminals if you do not want to be left both without your money and your files. Since Styx Ransomware deletes Shadow Volume Copies of files, there is not much you could do to decrypt your data for free. The only thing you could do is transferring copies of these encrypted files to your computer from a backup after the full Styx Ransomware removal.Styx Ransomware Removal GuideStyx Ransomware screenshot
Scroll down for full removal instructions

Ransomware infections slither onto computers illegally and then start performing malicious activities on compromised machines right away. According to our researchers, this threat should be mainly spread via spam emails, but, of course, other distribution methods might be used to promote it too. If you have already encountered this threat and found your personal files locked, go to remove it from your computer right away because you might launch it incidentally again and this will result in the encryption of all your new files. Make sure you check your USB flash drive too because Styx Ransomware could have copied itself to it without your knowledge seeking to spread itself further.

Your files will not be unlocked even if you delete Styx Ransomware, but you must still delete all its components today so that you would not launch it ever again. It is not one of these sophisticated threats, so you could delete it manually by erasing the malicious file launched and all ransom notes created on your computer.

How to remove Styx Ransomware

  1. Delete the malicious file you have launched before discovering your files encrypted (it might be located in %USERPROFILE%\Downloads or %USERPROFILE%\Desktop).
  2. Remove all ransom notes dropped by the ransomware infection from the following directories:
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
  • %USERPROFILE%\Desktop
  • %USERPROFILE%\Documents
  • %USERPROFILE%\Pictures
  • %USERPROFILE%\Music
  • %USERPROFILE%\Videos
  • %APPDATA%

In non-techie terms:

Styx Ransomware is a nasty infection that will lock your files completely if it ever slithers onto your computer. Just like a bunch of other ransomware infections, there is only one reason it does that – to help cyber criminals behind it to extract money from computer users. It goes without saying that you should not send them a cent. What you must do instead is to erase Styx Ransomware as soon as possible. Unfortunately, it might be impossible to decrypt files encrypted by this ransomware infection, but you can restore them easily for free if you have a backup.