New Razy v2 Ransomware – Remove It and Restore .razy1337 Files - How to, Technology and PC Security Forum |

New Razy v2 Ransomware – Remove It and Restore .razy1337 Files

cxparfaw8aits3z-jpg-largeRazy ransomware has been released in a second variant and this time the virus uses a more sophisticated and thoroughly checked code as well as advanced obfuscator. It may still employ the AES file encryption algorithm that will render the files of the users affected by the virus no longer openable. After infection Razy also changes the wallpaper and adds a ransom note that aims to notify the victim with instructions on how to pay the sum of 0.5 BTC to decrypt their files.

Threat Summary



Short DescriptionThe malware encrypts users files using an AES cipher which renders them unopenable until a ransom payoff of 0.5 BTC is paid to the cyber-criminals behind the virus..
SymptomsThe user may witness ransom notes and various instructions being dropped that explain the situation. The extension .razy1337 is added to the encrypted files.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Razy


Malware Removal Tool

User ExperienceJoin our forum to Discuss Razy.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Razy Ransomware – More Information

How Does Razy Distribute

In order to replicate the malicious files of the virus, the cyber-criminals have undertaken a very ambitions obfuscation using the ConfuserEx obfuscator which has been released publicly on GitHub as an open source code. This obfuscator aims to conceal the malicious files belonging to Razy Ransowmare and hence conduct the infection while remaining unnoticed on the computer of the user by any security software.

The ConfuserEx obfuscator has many features, the primary of them being:

  • Constant encryption and Resource encryption.
  • Compressing output.
  • Anti tampering.
  • Anti memory dumping.
  • Anti debuggers or profilers.
  • Obfuscation of Control flow.

This obfuscator may be combined together via software known as file joiners and uploaded online via different methods such as:

  • Spam e-mail messages.
  • Fake programs.
  • Fake key generators or game patches and cracks uploaded on torrent websites.
  • Combined with modified installers of legitimate programs.

Razy Ransomware 2.0 – Post-Infection Activity

After having infected the user, the ransomware creates several different files on the computer, which are located in key Windows folders, such as:

  • %AppData%
  • %Roaming%
  • %Local%
  • %Temp%
  • %Windows%

The files may be different support modules, each performing different activity and they could be of different executable or system types, like

→ .cmd, .bat, .vbs, .exe, .js, .dll, .tmp

The virus then begins to modify the registry entries so that it runs every time Windows has started.

After they are modified, the second variant of Razy ransomware begins encrypting different types of files, including most likely:

  • Audio files.
  • Videos.
  • Image files.
  • Microsoft Office Documents.
  • Files associated with often used programs.

After having encrypted the files, the Razy ransomware appends it’s distinctive file extension and the encoded files appear like the following:


After doing so, Razy ransomware also drops a distinctive ransom note that has the following message addressed to the user:

All your files have been encrypted with AES 128 bit and you need the key to decrypt your files!
To get the key you need to pa 0.5 bitcoins
If you don’t have bitcoins you can buy it at
When you bought the bitcoins send me 0.5 bitcoins to the address and leave your ID as message, so we can Identify you!
This window is your only chance to decrypt your files, try anything to get rid of me can destoy the decryption key. You have 24 hours to buy the decryption key. After 24 hours your decryption key will be deleted and all your files will be deleted.”

The virus is also reported to have a timer set to countdown 48 hours and along with it a pop-up window asking to enter a personal ID in a specific field.

Razy Ransomware – Remove and Restore .Razy1337 files

In order to fully remove Razy’s new variant from your computer we urge you to follow the instructions below as they are designed to help you delete this ransomware by helping to locate the malicious files. However, bear in mind that since the malicious files may be of a different type and have different name and also be located on various folders.

This is why we advise you to use an advanced anti-malware program to remove all files related to Razy Ransomware completely. After this it is also advisable to focus on trying to restore your files by using the alternative tools in step “2. Restore files encrypted by Razy” below. They are not 100% guarantee to work but since it is not advisable to pay the ransom they are the best option until malware researchers release a free decryptor for razy.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share