Razy ransomware has been released in a second variant and this time the virus uses a more sophisticated and thoroughly checked code as well as advanced obfuscator. It may still employ the AES file encryption algorithm that will render the files of the users affected by the virus no longer openable. After infection Razy also changes the wallpaper and adds a ransom note that aims to notify the victim with instructions on how to pay the sum of 0.5 BTC to decrypt their files.
|Short Description||The malware encrypts users files using an AES cipher which renders them unopenable until a ransom payoff of 0.5 BTC is paid to the cyber-criminals behind the virus..|
|Symptoms||The user may witness ransom notes and various instructions being dropped that explain the situation. The extension .razy1337 is added to the encrypted files.|
|Detection Tool|| See If Your System Has Been Affected by Razy |
Malware Removal Tool
|User Experience||Join our forum to Discuss Razy.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Razy Ransomware – More Information
How Does Razy Distribute
In order to replicate the malicious files of the virus, the cyber-criminals have undertaken a very ambitions obfuscation using the ConfuserEx obfuscator which has been released publicly on GitHub as an open source code. This obfuscator aims to conceal the malicious files belonging to Razy Ransowmare and hence conduct the infection while remaining unnoticed on the computer of the user by any security software.
The ConfuserEx obfuscator has many features, the primary of them being:
- Constant encryption and Resource encryption.
- Compressing output.
- Anti tampering.
- Anti memory dumping.
- Anti debuggers or profilers.
- Obfuscation of Control flow.
This obfuscator may be combined together via software known as file joiners and uploaded online via different methods such as:
- Spam e-mail messages.
- Fake programs.
- Fake key generators or game patches and cracks uploaded on torrent websites.
- Combined with modified installers of legitimate programs.
Razy Ransomware 2.0 – Post-Infection Activity
After having infected the user, the ransomware creates several different files on the computer, which are located in key Windows folders, such as:
The files may be different support modules, each performing different activity and they could be of different executable or system types, like
→ .cmd, .bat, .vbs, .exe, .js, .dll, .tmp
The virus then begins to modify the registry entries so that it runs every time Windows has started.
After they are modified, the second variant of Razy ransomware begins encrypting different types of files, including most likely:
- Audio files.
- Image files.
- Microsoft Office Documents.
- Files associated with often used programs.
After having encrypted the files, the Razy ransomware appends it’s distinctive file extension and the encoded files appear like the following:
After doing so, Razy ransomware also drops a distinctive ransom note that has the following message addressed to the user:
“YOU GOT INFECTED BY RAZY
All your files have been encrypted with AES 128 bit and you need the key to decrypt your files!
To get the key you need to pa 0.5 bitcoins
If you don’t have bitcoins you can buy it at www.localbitcoins.com
When you bought the bitcoins send me 0.5 bitcoins to the address and leave your ID as message, so we can Identify you!
This window is your only chance to decrypt your files, try anything to get rid of me can destoy the decryption key. You have 24 hours to buy the decryption key. After 24 hours your decryption key will be deleted and all your files will be deleted.”
The virus is also reported to have a timer set to countdown 48 hours and along with it a pop-up window asking to enter a personal ID in a specific field.
Razy Ransomware – Remove and Restore .Razy1337 files
In order to fully remove Razy’s new variant from your computer we urge you to follow the instructions below as they are designed to help you delete this ransomware by helping to locate the malicious files. However, bear in mind that since the malicious files may be of a different type and have different name and also be located on various folders.
This is why we advise you to use an advanced anti-malware program to remove all files related to Razy Ransomware completely. After this it is also advisable to focus on trying to restore your files by using the alternative tools in step “2. Restore files encrypted by Razy” below. They are not 100% guarantee to work but since it is not advisable to pay the ransom they are the best option until malware researchers release a free decryptor for razy.