Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


New Razy v2 Ransomware – Remove It and Restore .razy1337 Files

cxparfaw8aits3z-jpg-largeRazy ransomware has been released in a second variant and this time the virus uses a more sophisticated and thoroughly checked code as well as advanced obfuscator. It may still employ the AES file encryption algorithm that will render the files of the users affected by the virus no longer openable. After infection Razy also changes the wallpaper and adds a ransom note that aims to notify the victim with instructions on how to pay the sum of 0.5 BTC to decrypt their files.

Threat Summary

Name

Razy

Type Ransomware
Short Description The malware encrypts users files using an AES cipher which renders them unopenable until a ransom payoff of 0.5 BTC is paid to the cyber-criminals behind the virus..
Symptoms The user may witness ransom notes and various instructions being dropped that explain the situation. The extension .razy1337 is added to the encrypted files.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Razy

Download

Malware Removal Tool

User Experience Join our forum to Discuss Razy.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Razy Ransomware – More Information

How Does Razy Distribute

In order to replicate the malicious files of the virus, the cyber-criminals have undertaken a very ambitions obfuscation using the ConfuserEx obfuscator which has been released publicly on GitHub as an open source code. This obfuscator aims to conceal the malicious files belonging to Razy Ransowmare and hence conduct the infection while remaining unnoticed on the computer of the user by any security software.

The ConfuserEx obfuscator has many features, the primary of them being:

  • Constant encryption and Resource encryption.
  • Compressing output.
  • Anti tampering.
  • Anti memory dumping.
  • Anti debuggers or profilers.
  • Obfuscation of Control flow.

This obfuscator may be combined together via software known as file joiners and uploaded online via different methods such as:

  • Spam e-mail messages.
  • Fake programs.
  • Fake key generators or game patches and cracks uploaded on torrent websites.
  • Combined with modified installers of legitimate programs.

Razy Ransomware 2.0 – Post-Infection Activity

After having infected the user, the ransomware creates several different files on the computer, which are located in key Windows folders, such as:

  • %AppData%
  • %Roaming%
  • %Local%
  • %Temp%
  • %Windows%

The files may be different support modules, each performing different activity and they could be of different executable or system types, like

→ .cmd, .bat, .vbs, .exe, .js, .dll, .tmp

The virus then begins to modify the registry entries so that it runs every time Windows has started.

After they are modified, the second variant of Razy ransomware begins encrypting different types of files, including most likely:

  • Audio files.
  • Videos.
  • Image files.
  • Microsoft Office Documents.
  • Files associated with often used programs.

After having encrypted the files, the Razy ransomware appends it’s distinctive file extension and the encoded files appear like the following:

razy-sensorstechforum-encrypted-file-ransomware

After doing so, Razy ransomware also drops a distinctive ransom note that has the following message addressed to the user:

“YOU GOT INFECTED BY RAZY
All your files have been encrypted with AES 128 bit and you need the key to decrypt your files!
To get the key you need to pa 0.5 bitcoins
If you don’t have bitcoins you can buy it at www.localbitcoins.com
When you bought the bitcoins send me 0.5 bitcoins to the address and leave your ID as message, so we can Identify you!
This window is your only chance to decrypt your files, try anything to get rid of me can destoy the decryption key. You have 24 hours to buy the decryption key. After 24 hours your decryption key will be deleted and all your files will be deleted.”

The virus is also reported to have a timer set to countdown 48 hours and along with it a pop-up window asking to enter a personal ID in a specific field.

Razy Ransomware – Remove and Restore .Razy1337 files

In order to fully remove Razy’s new variant from your computer we urge you to follow the instructions below as they are designed to help you delete this ransomware by helping to locate the malicious files. However, bear in mind that since the malicious files may be of a different type and have different name and also be located on various folders.

This is why we advise you to use an advanced anti-malware program to remove all files related to Razy Ransomware completely. After this it is also advisable to focus on trying to restore your files by using the alternative tools in step “2. Restore files encrypted by Razy” below. They are not 100% guarantee to work but since it is not advisable to pay the ransom they are the best option until malware researchers release a free decryptor for razy.

Manually delete Razy from your computer

Note! Substantial notification about the Razy threat: Manual removal of Razy requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Razy files and objects
2.Find malicious files created by Razy on your PC

Automatically remove Razy by downloading an advanced anti-malware program

1. Remove Razy with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Razy
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.