Remove FILE RIPPER Ransomware and Restore .RIP Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com
THREAT REMOVAL

Remove FILE RIPPER Ransomware and Restore .RIP Encrypted Files

This article has been created to demonstrate how to remove the newly emerged FileRipper ransomware and how to restore AES encrypted files with .rip extension.

The ransomware menace is gaining more and more popularity as newer and newer ransomware versions come out on a daily basis. Such virus is the FILE RIPPER ransomware infection. It aims to encrypt your files using the AES encryption and then asks you to contact the cyber-criminal to decrypt the files. The demands are stated in a ransom note file, named #HOW_TO_UNRIP#.txt. If you are among the victims off this virus, you should read this article.

Threat Summary

NameFILE RIPPER
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files using AES cipher and then demands to contact the attackers for decryption.
SymptomsFiles are encrypted with an added .rip file extension and a ransom note accompanying the lock-screen above are dropped.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by FILE RIPPER

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss FILE RIPPER.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does FILE RIPPER Infect?

The infection process of FILE RIPPER ransomware is conducted via several different types of methods, the main of which is via spam e-mails that carry malicious e-mail attachments. One of the attachments used to infect with FILE RIPPER ransomware is a fake invoice with name, such as the following – Invoice_22104.pdf.exe. The file pretends to be a .PDF document but in fact it is an executable type of file that is a loader, in other words, drops the malicious files of FILE RIPPER on your computer.

FILE RIPPER Ransomware – Analysis

When FILE RIPPER infects your computer, it becomes immediately evident. The ransomware first, drops it’s payload files via the fake .PDF loader. They are several files plus a newly created folder:

  • file_ripper.exe
  • file_unripper.exe
  • HTTest

Among the activity of FILE RIPPER on the infected computer computer, is that the virus may display the following error message:

“Missing Dependency
The dependency PDFProcessor has not been found. It will now be downloaded and installed.
{OK}”

After this the virus adds a lockscreen on the victim’s computer which has a deadline timer of around 3 days left to contact the cyber-criminals. The ransom note has the following message:

YOUR FILES ARE KILLED
All your photos. videos. music, documents and other important files have been encrypted by the FILE RIPPER Ransomware!
You can find your unique ID in #HOW_TO_UNRIP#.txt files.
Ifyou are seeing this message it means this ransomware was not blocked byyour AV
This is just an educational project and might get publiced on ThePCSecurityChannel Forum for some testing.
If you got this example from TPSC feel free to inform me about what AV you used etc.
Ifyou got this ransomware from somewhere else. contact Danny @ forumthepesecuritychannelcom to get the decryption key for
free.
Ifyou want the decryption key(becauseyou for example ran it on your host PC which is not recommended) just contact me!
Give Me My Files Back!

In addition to this, FILE RIPPER may also create multiple other support files on the victim’s computer and also establish connection to the host superluckyblock(dot)16mb(dot)com.

After this has been completed, the virus may begin to interfere with the Shadow Volume Service and delete the shadow copies from the infected computer.

Another activity the FILE RIPPER ransomware may be involved with is to run automatically when your computer starts. One way to check this is to go to the Run and RunOnce keys and see if there are registry strings that are created with the location of the malicious files reported above.

FILE RIPPER Ransomware – Encryption Process

The encryption of this virus is comprised by mechanisms that aim for one thing only – to cripple your files so that you will no longer be able to open them. But FILE RIPPER does not just target any type of file. The virus is very careful to skip crucial Windows files, which are essential. Instead it looks for specific file types, like documents, images, music, videos, archives and other important files.

For the encryption process, FILE RIPPER uses the Advanced Encryption Algorithm, also known as AES cipher. It aims to replace blocks of data from the original files with data from the cipher. This makes the files not able to be opened by any type of software. In addition to this, the .rip file extension is added as a suffix to the files, making them look like the following:

Remove FILE RIPPER and Restore .rip Files

Before beginning the removal process of FILE RIPPER ransomware, we recommend you to focus on backing up your essential files, despite the fact that they might still be encrypted.

Then, you can proceed removing FILE RIPPER, preferably by following the removal instructions underneath. However, since FILE RIPPER is from the ransomware kind, it may situate different objects that may present a difficulty for you to remove manually and this may be risky for your OS. This is the primary reason why experts advise to use an automatic ransomware-oriented removal tool which aims to make sure that all of the objects related to FILE RIPPER are automatically deleted.

If you have removed this file encryption virus, you can try and restore your files using the alternative steps below in “2. Restore files encrypted by FILE RIPPER.” The steps themselves have been designed to help you restore as many files as possible. In the meantime, we also advise you to check this blog post as we will update it as soon as there is a decryption tool available for the FILE RIPPER threat.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...