New crypto-malware has been detected out in the wild. It is called Rackcrypt and it is also known as MVP Locker. It claims to use a strong AES-256 encryption algorithm to encrypt infected users’ files and extort them for the decryption. This type of ransomware is reported to be entering user systems via malicious executables concealed in a key Windows directory. It supports a variety file types to scan for and encrypt, and its algorithm is military grade. However, users who have been affected by this ransomware are strongly advised not to pay the ransom money and use special software to remove Rackcrypt and restore their files, instructions for which are provided after this article.
|Short Description||The crypto-virus encrypts user files with .rack extensions and may use AES-256 encryption algorhithm, demanding 1.3 BTC to decrypt the data.|
|Symptoms||The user may witness his files to become of an unfamiliar origin with the .rack extension.|
|Distribution Method||Via different malicious sites.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Rackcrypt|
|User Experience||Join our forum to discuss Rackcrypt.|
Rackcrypt Ransomware – How Does It Spread
Microsoft malware researchers have observed samples of the threat in their report, and they have established this malware to spread via malicious executables. Such executables may contain the following names:
The executables may be downloaded onto the victim’s PC from websites that are dangerous and distribute the malware disguised based on what the user is looking for. For example, if you search for a certain program the website may automatically generate a file, named ‘yourprogramname.exe’ tricking you into downloading the actual setup of the software you are looking for. There may be other methods of distribution such as malicious executables uploaded on file sharing sites or in suspicious torrents.
Rackcrypt Ransomware – What Does It Do?
Once activated on the computer, the ransomware immediately drops a malicious module in the %temp% Windows folder. After doing so, according to Microsoft, It adds the following registry keys with values and data:
→In HKU\Administrator\mvpdata the value “launches” with data “
In HKU\Administrator\mvpdata the value “day” with data “
In HKU\Administrator\mvpdata the value “done” with data “
In HKCU\Control Panel\Desktop the value “Wallpaper” with data “%Windows%\Web\Wallpaper\rack.jpg”
The value for the wallpaper aims to set the picture “rack.jpg” that may contain the ransom instructions as a wallpaper.
After the ransomware has been set up on your computer, it begins the encryption process. Its payload modules are programmed to scan and encrypt files that have the following extensions:
→ .3fr .7z .accdb .ai .ank .apk .arch00 .arw .asset .avi .bar .bay .bc6 .bc7 .big .bik .bkf .bkp .blob .bmp .bsa .cas .cdr .cer .cfr .cpp .cr2 .crt .crw .css .csv .d3dbsp .das .dat .dazip .db0 .dba .dbf .dcr .der .desc .dmp .dng .doc .docm .docx .dwg .dxg .epk
.eps .erf .esm .et .ff .flv .forge .fos .fpk .fsh .gdb .gho .hkdb .hkx .hplg .hpp .hvpl .ib .icxs .indd .itdb .itl .itm .iwd .iwi .jpe .jpeg .jpg .js .kdb .kdc .kf .layout .lbf .litemod .lrf .ltx .lvl .m2 .m3u .m4a .map .mcmeta .mdb .mdbackup .mddata .mdf .mef .menu
.mlx .mov .mp3 .mp4 .mpqge .mrwref .ncf .nrw .ntl .odb .odc .odm .odp .ods .odt .orf .p12 .p7b .p7c .pak .pas .pdd .pdf .pef .pem .pfx .pkpass .png .ppt .pptm .pptx .psd .psk .pst .ptx .py .qdf .qic .r3d .raf .rar .raw .rb .re4 .rgss3a .rim .rofl .rtf .rw2
.rwl .sav .sb .sid .sidd .sidn .sie .sis .slm .snx .sql .sr2 .srf .srw .sum .svg .syncdb .t12 .t13 .tax .tor .txt .upk .vcf .vdf .vfs0 .vpk .vpp_pc .vtf .w3x .wall .wb2 .wma .wmo .wmv .wotreplay .wpd .wps .x3f .xf .xlk .xls .xlsb .xlsm .xlsx .xxx .zip .ztmp
After the files have been encrypted, they can be identified with the “.rack” extension specific for this ransomware variant. An example of an encrypted document may be:
→New Text Document.txt.rack
When the user attempts to open an encrypted file, there is an error message from Windows may display a pop-up saying the file is corrupt or open the Window that helps the user find a program to open the encrypted file with. Removing the “.rack” file extension does not fix the program and when the file has been opened as a .txt the information is displayed with encrypted symbols, for example:
After encrypting the user files, the ransomware drops the following files:
- Rackfiles.txt – (shows the user a list of the encrypted files)
- Rack.jpg – (wallpaper with the ransom message)
- Rackinfo.txt – (displays more information about what happened to the files)
These files may be located either in the %Temp% directory or others and they aim to provide the user with instructions on what the situation is and scare him/her into paying the ransom money to the cyber-criminals in bitcoins.
The instructions in the ransom messages are the following:
We are sorry to tell you, but all your files on this PC were encrypted using strongest AES-256 encryption algorithm and you can personally verify this by pressing “files” button below or do this manually.
What can I do?
Despite that, you still has a chance to get all your data back in a 3 days period. For further information about unlocking process please use “info” button below. Please do not try to eliminate this program in case you want to get your files back.
You should use this address to send a payment. It costs around 300 USD (1.3 BTC) .
Use “copy” button to copy wallet address to clipboard.
We will verify your payment status within 2-3 hours after transaction. Please be patient since it’s manual process. In case you made a payment, but decryption process won’t start, use this e-mail to contact us:
The ransomware also has several buttons in its pop-up one of which leads to the following .txt file:
If a user clicks on the “Decrypt” button, it displays a pop-up message claiming the payment hasn’t been made yet or is currently being processed.
Remove Rackrypt Completely and Restore .rack Files
Before we start, keep in mind that you have the option to pay the ransom money of 300 USD even though it is no guarantee you will get your files back. If you remove the malware you will not be able to pay them. Otherwise, in order to remove this malware, it is important to first backup the encrypted files to another device since it may delete them if you try to remove it. Then, it is highly recommended to follow the step-by-step manual illustrated after this article to isolate and remove the malicious files and clean up your registries.