Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Realxakepok Ransom Virus and Unlock WinRar Locked Files

Realxakepok-WinRar-Password-SensorstechforumA rather unorthodox ransomware variation has been reported to use the notorious program WinRar to archive and lock the users’ files using a password. The virus demands users to contact Realxakepok@bigmir.net e-mail address in order to restore their files. The cyber-criminals behind the e-mail address will most likely provide instructions for making a ransom payoff which may be in BTC or other cryptocurrency. Users are stongly advised not to give themselves into the demands of the cybercrook(s) behind the ransomware and try alternative methods for free to revert their files after removing the virus with an advanced anti-malware program.

Threat Summary

Name Realxakepok
Type Ransomware
Short Description The ransomware locks files with a password and uses a strong algorithm to lock the password in a key.txt file.
Symptoms All files are in a .RAR file extension. A pop-up appears with ransom instructions when WinRar is Opened.
Distribution Method Spam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by Realxakepok

Download

Malware Removal Tool

User Experience Join our forum to Discuss zCrypt Ransomware.

Realxakepok Ransomware – Ways It Spreads

Realxakepok is believed to be spread on individual machines, instead of organizations. This automatically suggests that the ransomware may use campaigns to massively be spread across potential victim PCs. Some of the most well-known massive methods for spreading malware are:

  • Via spam e-mail attachments.
  • By using malicious URLs featured in such spam mails or anywhere on the web.
  • By uploading fake executables in websites disguised as legitimate software providing ones.
  • Via adware or other unwanted programs.

After the user opens up such malicious file or a web link, Realxakepok may use an Exploit Kit, JavaScript or a drive-by down load of a Trojan which opens a port and gets the malicious files to infect users.

Realxakepok Ransomware – Technical Overview
After a successful infection, the ransomware drops several .bat files on the compromised PC:

  • MY.BAT
  • MY.BAT3
  • MY.BAT4

These files are reported by malware analysts on security forums to start the following processes in Windows Task Manager:

  • cwp
  • chaekgrewege

Realxakepok ransomware also creates the following files:

→ C:/Program Files/ Chaekgrewege/chaekgrewegeverifierService.html5
C:/Program Files/Chaekgrewege/ chaekgrewegeverifierTask.exe

In addition to that, Realxakepok ransomware virus makes different registry values in relation to chaekgrewege files.

After this is done, the file-locking process begins. Realxakepok uses WinRar to archive oftenly used types of files, for example:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com

After this is done, the ransomware wants a password everytime the user tries to open the files. In addition to the password, Realxakepok also has specific and serious demands that appear in a pop-up type of WinRar window:

→ “All your valuable files are archived indefinitely using
program WinRar.
Password for the archive was generated randomly
and encrypted algorithm used in the military sphere.
This means that no one in the world can not help you
to receive a password, except for me. I’m not the
one who receives money and disappears. In this
case, you will get your 100% data back, but there
is little time restriction on a valid password, so
postpone and believe in miracles not worth it.
Your encrypted password stored on the disk
c: \ key.txt or folder c: \ windows \ key.txt.
It should be sent to e-mail realxakepok@bigmir.net
and discuss payment method
Price password is symbolic twenty five euros.” Source: Bleeping Computer

After this is done, the ransomware saves a file, named “key.txt” which contains the password in an encoded format with one of the following encryption algorithms:

  • Base64
  • XOR
  • RSA
  • DH
  • AES

So far it is not clear what the password is, however the ransom e-mail address realxakepok@bigmir.net is also associated with other cyber-threat which is a screenlocker type. The password of the other cyber-threat is believed to be “iamsorrygoodluck”.

Remove Realxakepok Ransomware Virus and Try Reverting The Files

Since this virus creates multiple files and registry entries you can use the information in this article in combination with the removal instructions to manually find them and delete them in safe mode after stopping them from Windows Task Manager as a process (if they are still running). However, for maximum effectiveness, cyber-security experts advise users to use a more automatic approach when removing data. It includes installing an advanced anti-malware tool which will find every single object created or modified by Realxakepok ransomware on your computer.

To restore your files, you may have couple of free options left. Since Realxakepok virus has not been reported to delete backups and shadow volume copies you may want to try and follow the instructions in step “3.Restore files encrypted by Realxakepok Ransomware” below. Other options which may work for you is by downloading a WinRar bruteforce password cracker and make a password list of different letter combination, but it is a time costly process. The final solution may be to purchase WinRar and contact the program’s support for assistance.

Manually delete Realxakepok from your computer

Note! Substantial notification about the Realxakepok threat: Manual removal of Realxakepok requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Realxakepok files and objects
2.Find malicious files created by Realxakepok on your PC
3.Fix registry entries created by Realxakepok on your PC

Automatically remove Realxakepok by downloading an advanced anti-malware program

1. Remove Realxakepok with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Realxakepok in the future
3. Restore files encrypted by Realxakepok
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.