A Trojan-Ransom program has been detected in the wild. As a matter of fact, the threat was first discovered in 2011, but has been recently revived. It is dubbed Trojan/Win32.Rector.a[Ransom] and allows attackers to steal important information from the attacked system. Also, Trojan/Win32.Rector.a[Ransom] can destroy certain files and perform a number of malicious operations. The file-encrypting Trojan runs on Microsoft 32-bit operating system. It affects files with the following extensions – JPG, DOC, PDF and RAR.
Rector, as security researchers call it for short, is designed to download malicious applications and execute them with the user’s initial knowledge or consent. Luckily, Kaspersky has found a solution to the malicious file encryptor that doesn’t require payment.
The Rector has been detected under several other names by different anti-virus programs. Microsoft detects it as Trojan:Win32/Orsam!rts, Avira – as TR/Ransom.Rector.A.
Trojan/Win32.Rector.a[Ransom] Distribution Method
The file-encrypting Trojan may have entered the system through drive-by downloads, opening corrupted links or downloading infected files (programs, torrents). Such cyber threats may also be capable of exploiting vulnerabilities in network services. To stay safe, the user should pay close attention to the emails he receives, especially when their sender appears unknown. Also, downloading free software from secure sources is highly advisable.
Trojan/Win32.Rector.a[Ransom] Classification and Description
As already mentioned, once activated on a system, the Trojan ransomware will attempt to alter the user’s data so that it cannot be used anymore. As a result, the user will receive a ransom message written in Cyrilic, asking for a fee to be paid so that the files are deciphered. Trojan/Win32.Rector.a[Ransom] also gets in the way of the PC’s normal performance.
Once the fee is paid, the user should receive an application that should be used to restore the encrypted data. However, security experts always highlight the fact that, with ransomware, paying the ransom doesn’t necessarily mean data restoration. The safest way to protect one’s PC from such attacks is backing up important files. A USB device can be used, or a cloud service.
Trojan/Win32.Rector.a[Ransom] RectorDecryptor Tool
Kaspersky as just released a simple tool that removes all traces of Trojan/Win32.Rector.a[Ransom], as well as Xorast, Hanar or Rakhni. The utility is called RectorDecryptor and is designed to scan hard drives and detect encrypted files. It is recommended to move the affected files to a separate directory and save any opened documents before scanning the system via the utility.
Furthermore, a log file is created on the local disk, so that the RectorDecryptor’s actions are observed.
→NB! Even though the Kaspersky’s solution can be used on systems affected by Trojan/Win32.Rector.a[Ransom], it cannot be used a permanent anti-virus protection. RectorDecryptor is set to run alongside the primary anti-malware solution installed on the PC.
A helpful video is provided below the article, explaining how malware works and how to guard the system against its numerous variants.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter