Remove Rackcrypt MVP Locker Ransomware and Restore .rack Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove Rackcrypt MVP Locker Ransomware and Restore .rack Files

New crypto-malware has been detected out in the wild. It is called Rackcrypt and it is also known as MVP Locker. It claims to use a strong AES-256 encryption algorithm to encrypt infected users’ files and extort them for the decryption. This type of ransomware is reported to be entering user systems via malicious executables concealed in a key Windows directory. It supports a variety file types to scan for and encrypt, and its algorithm is military grade. However, users who have been affected by this ransomware are strongly advised not to pay the ransom money and use special software to remove Rackcrypt and restore their files, instructions for which are provided after this article.

NameRackcrypt
TypeRansomware
Short DescriptionThe crypto-virus encrypts user files with .rack extensions and may use AES-256 encryption algorhithm, demanding 1.3 BTC to decrypt the data.
SymptomsThe user may witness his files to become of an unfamiliar origin with the .rack extension.
Distribution MethodVia different malicious sites.
Detection ToolDownload Malware Removal Tool, to See If Your System Has Been Affected by Rackcrypt
User Experience Join our forum to discuss Rackcrypt.

Rackcrypt Ransomware – How Does It Spread

Microsoft malware researchers have observed samples of the threat in their report, and they have established this malware to spread via malicious executables. Such executables may contain the following names:

  • Setup.exe
  • Firefox.exe
  • Activator.exe
  • Smsss.exe

The executables may be downloaded onto the victim’s PC from websites that are dangerous and distribute the malware disguised based on what the user is looking for. For example, if you search for a certain program the website may automatically generate a file, named ‘yourprogramname.exe’ tricking you into downloading the actual setup of the software you are looking for. There may be other methods of distribution such as malicious executables uploaded on file sharing sites or in suspicious torrents.

Rackcrypt Ransomware – What Does It Do?

Once activated on the computer, the ransomware immediately drops a malicious module in the %temp% Windows folder. After doing so, according to Microsoft, It adds the following registry keys with values and data:

In HKU\Administrator\mvpdata the value “launches” with data “ (REG_DWORD)”
In HKU\Administrator\mvpdata the value “day” with data “ (REG_DWORD)”
In HKU\Administrator\mvpdata the value “done” with data “ (REG_DWORD)”
In HKCU\Control Panel\Desktop the value “Wallpaper” with data “%Windows%\Web\Wallpaper\rack.jpg”

The value for the wallpaper aims to set the picture “rack.jpg” that may contain the ransom instructions as a wallpaper.
After the ransomware has been set up on your computer, it begins the encryption process. Its payload modules are programmed to scan and encrypt files that have the following extensions:

.3fr .7z .accdb .ai .ank .apk .arch00 .arw .asset .avi .bar .bay .bc6 .bc7 .big .bik .bkf .bkp .blob .bmp .bsa .cas .cdr .cer .cfr .cpp .cr2 .crt .crw .css .csv .d3dbsp .das .dat .dazip .db0 .dba .dbf .dcr .der .desc .dmp .dng .doc .docm .docx .dwg .dxg .epk
.eps .erf .esm .et .ff .flv .forge .fos .fpk .fsh .gdb .gho .hkdb .hkx .hplg .hpp .hvpl .ib .icxs .indd .itdb .itl .itm .iwd .iwi .jpe .jpeg .jpg .js .kdb .kdc .kf .layout .lbf .litemod .lrf .ltx .lvl .m2 .m3u .m4a .map .mcmeta .mdb .mdbackup .mddata .mdf .mef .menu
.mlx .mov .mp3 .mp4 .mpqge .mrwref .ncf .nrw .ntl .odb .odc .odm .odp .ods .odt .orf .p12 .p7b .p7c .pak .pas .pdd .pdf .pef .pem .pfx .pkpass .png .ppt .pptm .pptx .psd .psk .pst .ptx .py .qdf .qic .r3d .raf .rar .raw .rb .re4 .rgss3a .rim .rofl .rtf .rw2
.rwl .sav .sb .sid .sidd .sidn .sie .sis .slm .snx .sql .sr2 .srf .srw .sum .svg .syncdb .t12 .t13 .tax .tor .txt .upk .vcf .vdf .vfs0 .vpk .vpp_pc .vtf .w3x .wall .wb2 .wma .wmo .wmv .wotreplay .wpd .wps .x3f .xf .xlk .xls .xlsb .xlsm .xlsx .xxx .zip .ztmp

After the files have been encrypted, they can be identified with the “.rack” extension specific for this ransomware variant. An example of an encrypted document may be:

New Text Document.txt.rack

When the user attempts to open an encrypted file, there is an error message from Windows may display a pop-up saying the file is corrupt or open the Window that helps the user find a program to open the encrypted file with. Removing the “.rack” file extension does not fix the program and when the file has been opened as a .txt the information is displayed with encrypted symbols, for example:

encrypted-text-document-rack-sensorstechforum

After encrypting the user files, the ransomware drops the following files:

  • Rackfiles.txt – (shows the user a list of the encrypted files)
  • Rack.jpg – (wallpaper with the ransom message)
  • Rackinfo.txt – (displays more information about what happened to the files)

These files may be located either in the %Temp% directory or others and they aim to provide the user with instructions on what the situation is and scare him/her into paying the ransom money to the cyber-criminals in bitcoins.

The instructions in the ransom messages are the following:

“Hi,
We are sorry to tell you, but all your files on this PC were encrypted using strongest AES-256 encryption algorithm and you can personally verify this by pressing “files” button below or do this manually.
What can I do?
Despite that, you still has a chance to get all your data back in a 3 days period. For further information about unlocking process please use “info” button below. Please do not try to eliminate this program in case you want to get your files back.
Bicoin Wallet
You should use this address to send a payment. It costs around 300 USD (1.3 BTC) .
Use “copy” button to copy wallet address to clipboard.
(Contains uppercase, lowercase and digits)
Unlock
We will verify your payment status within 2-3 hours after transaction. Please be patient since it’s manual process. In case you made a payment, but decryption process won’t start, use this e-mail to contact us:
[email protected]

The ransomware also has several buttons in its pop-up one of which leads to the following .txt file:

text-sensorstechforum-rack

If a user clicks on the “Decrypt” button, it displays a pop-up message claiming the payment hasn’t been made yet or is currently being processed.

Remove Rackrypt Completely and Restore .rack Files

Before we start, keep in mind that you have the option to pay the ransom money of 300 USD even though it is no guarantee you will get your files back. If you remove the malware you will not be able to pay them. Otherwise, in order to remove this malware, it is important to first backup the encrypted files to another device since it may delete them if you try to remove it. Then, it is highly recommended to follow the step-by-step manual illustrated after this article to isolate and remove the malicious files and clean up your registries.

1. Boot Your PC In Safe Mode to isolate and remove Rackcrypt
2. Remove Rackcrypt with SpyHunter Anti-Malware Tool
3. Back up your data to secure it against infections and file encryption by Rackcrypt in the future
4. Restore files encrypted by Rackcrypt
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.