Encryptor RaaS – How to Remove It and Restore Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Encryptor RaaS – How to Remove It and Restore Encrypted Files

Encryptor RaaS is a devastating trojan horse that causes quite the headaches. Symantec researchers have reported a new wave of encryptor RaaS hitting users on a global scale. This particular ransomware is detected to slip into the user system, modify user settings after which scan user files and encrypt them. The trojan can support many file extensions and encrypt as many files as possible and it even may encrypt files in external drives, such as USB, memory card or even external HDD or SSD drives.

NameEncryptor RaaS
TypeRansomware Trojan
Short DescriptionThe trojan encrypts user files asking ransom money for their decryption
SymptomsUsers may witness different files of their computer becoming corrupt all of a sudden plus the ransom message text file and their browser may open with additional instructions.
Distribution MethodVia malicious mail attachments, malicious URLs
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Encryptor RaaS
User ExperienceJoin our forum to discuss about Encryptor RaaS Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Encryptor RaaS Ransomware – How Did I Get It?

One way you may have gotten this nasty virus infection is by simply opening a malicious mail attachment. There are many spammers who distribute malware like Encryptor RaaS via spam messages that may resemble something important. Examples may be email from Microsoft, eBay or any other reputable services. The mail may contain a legitimate attachment such as .docx, .pdf and others. However, it may also have a second attachment which may be a malicious .exe, .bat, .dll or .tmp file. In some situations even the documents may be infected. For example, there have been cases with infected Microsoft Word .docx macros.

Encryptor RaaS – More about It

Symantec engineers report that once this ransomware has been activated on your computer it creates a read me file, going by the name “readme_liesmich_encryptor_raas.txt” in the %SystemDrive% directory. After it has done that it creates a registry entry in the Run key with a value for the %SystemDrive% folder itself:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\|||RANDOM CHARACTERS|||=”%SystemDrive% /SkipReg”

After doing so the trojan directly begins to encrypt files containing the following file extensions.

→.doc .docm .docx .txt .jpg .xls .xlsx .zip .7z .flac .aup .ogg .rat .tiff .lzma .mp4 .torrent .gz .m4v .cpp .h .ova .avi .bak .data .rtf .ico .img .php .php3 .php5 .dmg .mp3 .mp4 .iso .wav .mpeg .mpg .jar .webm .java .sln .msg .jpeg .png .pdf .bmp

After doing so the trojan opens up the previously created “readme_liesmich_encryptor_raas.txt” file. It contains the following message:

The files on your computer have been securely encrypted by Encryptor RaaS.
To get access to your files again, follow the instructions at:
|||Random web link|||
Die Datelen auf ihrem computer wurden von Encryptor RaaS sichen verschluesselt. Um den Zugriff auf ihre Datelen wiederzuerlangen. Folgen Sie die Anleitung auf:
|||Random web link|||”

The ransomware also opens up a page in the web browser with additional demands to decrypt the victim’s files.
More about it, the RaaS stands for Ransomware as a service and it is offered by cyber-criminals to third-parties. The ransomware uses onion networking (Tor) in its web links in order to remain anonymous since such networking is very random and effective. Tor networking uses encrypted connection because the packets travel via a random network of onion networking`s computers in encrypted encapsulation which is decrypted in the exit node, i.e the last Tor computer it exits from. The randomness of the signal passing through makes Tor networking the perfect choice for cyber criminals who use RaaS.
ESG security researchers report that unlike its predecessor Tox, this operation is particularly less sophisticated and very effective because of that. What is unique about it is that Encryptor RaaS contains Java associated references to DLL files with makes it partly Java-based – something new for ransomware.
The ransomware features prompts to pay in BitCoin and what is more it may encrypt files differently based on their file formats. The good news is that the ransomware may use several different algorhitms and may not encrypt an entire file, but only the first portion of the file`s code which is a hope for any affected users out there.

Removing Encryptor RaaS Completely

In order to remove this nasty infection from your computer, you need to be very cautious. Before conducting any removals, make sure that you have all your necessary encrypted files backed up somewhere else. After this is done, you should follow these instructions and install an advanced anti-malware tool to remove all associated files with this cyber-threat:

1. Boot Your PC In Safe Mode to isolate and remove Encryptor RaaS
2. Remove Encryptor RaaS with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryptions by Encryptor RaaS in the future

Decrypting Encrytor RaaS Files

The decryption process may be very lengthy and it may not even work. But do not worry because you may succeed after all. Many users have successfully decrypted their files because they have just tried decrypting different files, not just one. Once one key is discovered there is a significant chance that other files can be decrypted using the very same key with a specific tool.

Here are instructions for trying to decrypt files encrypted via the RSA encryption algorhitm:


And here is more info about trying to decrypt RSA algorithm via Ubuntu (tech savvy users).


Also, here is a web link to kaspersky decryption tools since the trojan may use different algorithms:

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website


  1. Harhur

    Hello, I have this problem
    has anyone already test a successful way to decrypt the files?
    I have a lot of files encrypted and I have a lot of the in original (Back up :))
    that should make is easyser to find the key, shouldn’t it? can anyone advice a solution?

  2. Vencislav Krustev (Post author)

    Hello, Harhur

    Is it possible for you to send 2 encrypted files with 2 original ones and maybe 5 or 10 encrypted files to the following e-mail address:

    [email protected]

    Make sure you name the subject of the email: “Harhur” so we know it came from you. We will try with several decryption tools on a PC configured for that and let you know eventually what happened and if it is possible or not.


    1. Harhur

      hello mr Krutev,
      you are great man, I will send them immediatly..

    2. Harhur

      do you have another email frome some reason my mail is always comming back (can not be deliverd)

  3. Harhur

    Hello again,
    I forgot to write that I already tried the Kaspersky tools and they did not work.
    the files are encrypted but the end dose not change so .docx or .pdf is still the same but it is not possible to open them (office says the file is damaged)
    I will be thankful for any advice I would also send some files (encrypted and original) to anyone who would try to find a solution

  4. Abhi

    I have read that the developer of this malware have del all the keys already and no service is actually available and those whose file is encrypted will be encrypted now Holy shit!

  5. zabeti

    comma récupéré fichier crypte?


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share