.Sinta Files Virus – How to Remove SintaLocker + Restore Files

Security News ThreatsCybercrime Uncategorized

This article has been created to help you by explaining how to remove the .Sinta files virus, called SintaLocker and show how to restore .sinta encrypted files by this ransomware without paying.

A new virus from the file encryption kind has been detected out in the wild, encrypting the files on victims computers and then adding the .sinta file extension afterwards. The virus then drops a ransom note type of file, named “README_FOR_DECRYPT.md” which aims to extort the victims into paying a hefty ransom of $100 USD in BitCoin in order to get the files decrypted back to normal once more. In the event that your computer has been infected with .sinta files virus, we recommend that you read the following article to learn how to remove this ransomware from your computer and how to try and recover your encrypted files without having to pay any ransom.

Threat Summary

Name SintaLocker
Type Ransomware, Cryptovirus
Short Description Encrypts the files on your computer after which asks you to pay the sum of $100 as a ransom to get them to work again.
Symptoms Files are encrypted with an added .sinta file extension and a ransom note, called README_FOR_DECRYPT.md is dropped as well.
Distribution Method Spam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by SintaLocker


Malware Removal Tool

User Experience Join Our Forum to Discuss SintaLocker.
Data Recovery Tool Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.sinta Files Ransomware – How Did I Get Infected

The primary method of infection which has been detected to be associated with SintaLocker is malicious spammed e-mails whose primary purpose is to get victims to open a malicious e-mail attachment, usually disguised as a legitimate type of file. Such files may pretend to be:

  • Documents.
  • Receipts.
  • Invoices.
  • Banking statements.
  • Financial reports.
  • Texttt
  • Texttt

The malicious files being spread may come in different ways:

  • Via malicious macros embedded in legitimate Microsoft Office documents.
  • Via links to Dropbox and other types of online services that lead to external file sharing sites.
  • Via malicious attachment directly uploaded as an e-mail attachment in an archive.

The messages that may accompany the e-mail attachments are of convincing nature and they stress on the importance of the attachments embedded. Here is an example of such message:

Analysis of SintaLocker Ransomware

Once the SintaLocker virus has infected your computer, the malware may connect to a distribution host via an unsecured port on your computer system. From there, SintaLocker drops it’s malicious files on your computer system. They are primarily located In the commonly targeted by malware Windows Directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%

Since SintaLocker is a CryPy ransomware variant, the virus may drop files of the following file types under different, often random names:

→ .exe, .tmp, .bat, .cmd, .dll, .vbs, etc.

As soon as the payload of SintaLocker CryPy variant is dropped, the malware may start to modfy your computer by firstly obtaining administrative permssions. Only then, the .sinta files virus may attack your Windows Registry Editor and set custom registry keys in it that may allow it to run automatically on system start up. The targeted sub-keys for this purpose are the followng:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • Texttt
  • Texttt
  • Texttt

In addition to this activity, the SintaLocker ransomware may also delete your shadow volume copies by running a malicious script in the background of your computer which uses the vssadmin and bcedit commands:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

After this is complete, the SintaLocker ransomware may also drop it’s ransom note file, which may either be in the .md file format or in .txt document. Either way, the file is named README_FOR_DECRYPT and has the following content In it:

! ! OWNED BY SintaLocker ! ! !

All your files are encrypted by SintaLocker with strong chiphers.
Decrypting of your files is only possible with the decryption program, which is on our secret server.
All encrypted files are moved to __SINTA I LOVE YOU__ directory and renamed to unique random name.
To receive your decryption program send $100 USD Bitcoin to address: 1NEdFjQN74ZKszVebFum8KFJNd9oayHFT1
Contact us after you send the money: [email protected]

Just inform your identification ID and we will give you next instruction.
Your personal identification ID: {ID}

As your partner,


SintaLocker’s Encryption Procedure

Similar to CryPy ransomware from which it derives, SintaLocker may also use the same AES-256 encryption algorithm win order to render the files to be no longer openable by the victim. To do this, the virus perfroms the following consequential activities:

1)Encrypts the file using a strong AES-256 encryption algorithm.
2)Generates a unique decryption key.
3)Sends the decryption key to the SintaLocker ransomware’s command and control server.

The SintaLocker ransomware does not encrypt just any file. The virus may targed files that are often used, like the following file types:

  • Documents.
  • Audio files.
  • Videos.
  • Image files.
  • Archives.
  • Files associated with often used programs.

The virus skips encrypting files in the following imporant Windows directories:


After this has been done, the SintaLocker ransomware adds the .sinta file extension to the encrypted files, resulting in them looking like the following:

Remove SintaLocker Ransomware and Restore .sinta Encrypted Files

In order to get rid of this ransomware virus, you will need to isolate it first and then hunt for all the changes it has made on your computer plus the files created by it. You can follow the manual removal instructions below to do this manually. However, malware researchers strongly recommend to download ransomware-specific anti-malware software which will take care of SintaLocker ransomware automatically and make sure that your computer remains protected against other threats as well.

If you want to restore files that have been encrypted by SintaLocker ransowmare, it is strongly advisable to try out the alternative methods for file recovery below in step “2. Restore files encrypted by SintaLocker”. They are specifically designed to help you restore as many files as possible without paying any ransom. Even though they may not be 100% effective, we have received reports on our forums that victims have been able to restore up to 50+ files using those tools.

Manually delete SintaLocker from your computer

Note! Substantial notification about the SintaLocker threat: Manual removal of SintaLocker requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove SintaLocker files and objects

2.Find malicious files created by SintaLocker on your PC

Automatically remove SintaLocker by downloading an advanced anti-malware program

1. Remove SintaLocker with SpyHunter Anti-Malware Tool and back up your data

2. Restore files encrypted by SintaLocker

Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More PostsWebsite