Remove Razy Ransomware and Restore .razy Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove Razy Ransomware and Restore .razy Encrypted Files

razy-ransomware-main-sensorstechforumAES algorithm, used by a ransomware virus, called Razy had been identified by malware researchers. The ransomware uses its distinct .razy file extension which it adds to the files of your computer once it encrypts them, making them no longer openable by any software. Users are provided with instructions via a picture and an .HTML file that directly redirect them to a payment page. Researchers believe that Razy ransomware has been created by people who did not want it released in the wild, but instead, the virus has leaked somehow. To everyone who has been affected by Razy ransomware, it is recommended not to pay any ransom to the cyber-criminals. Instead, it is advisable to read this article and learn how to delete Razy ransomware safely and try to decrypt or restore the encrypted files.

Threat Summary

Name

Razy

TypeRansomware
Short DescriptionThe malware encrypts users’ files using AES encryption, changing the wallpaper with its ransom message.
SymptomsThe user may witness ransom messages and “instructions” on how to make a payoff.
Distribution MethodIt may spread via malicious PDFs and an Infostealer featured in spam e-mail messages.
Detection Tool See If Your System Has Been Affected by Razy

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss Razy Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Razy Ransomware – Distribution Methods and Tools

For it to infect a high amount of users, Razy ransomware may use a different set of tools. One of those tools may be an Exploit Kit via which an infection can occur and the malicious files can be dropped on the infected computer. Another tool of distribution is via a malicious JavaScript which can cause the direct infection of the victim PC via a pre-programmed malicious script. A common way to penetrate system defenses is to use program obfuscators, which may allow for the malicious executable of Razy to be directly opened automatically without real-time shields of antivirus programs stopping it and eliminating it.

These and other tools may be used in different types of widespread spam throughout the web to infect user PCs. The most commonly used method is to upload the files in archives or merged with other files in spam e-mail messages that seem trustworthy, like from PayPal, your bank or another online service you may be using. Another method to spread malware through e-mail spam is to include malicious URLs like the example below:

e-mail-spam-sensorstechforum

Such hotlinks may redirect to harmful domains which may infect your computer with Razy Ransomware via one of the tools above.

Razy Ransomware – More Information

Once Razy attacks your computer unnoticed, your files become at risk. The virus may or may not drop its malicious files on several key Windows locations:

  • %AppData%
  • %Local%
  • %LocalRow%
  • %Temp%
  • %Windows%

The file or files belonging to Razy ransomware may be different types:

→ .exe, .bat, .vbs, .js, .cmd, .dll, .tmp

Razy ransomware may also modify the Windows Registry Editor so that it runs when you start up your computer. It may target the following keys:

  • HKEY_LOCAL_MACHINE\…\Run
  • HKEY_CURRENT_USER\…\Run

When Razy ransomware’s encryption process is running, it begins to scan for widely used types of files associated with:

  • Videos.
  • Microsoft Office documents.
  • Adobe Reader documents.
  • Virtual Box databases and other virtual drives.
  • Pictures.
  • Music and other audio files.
  • Other multimedia content.
  • Other important files associated with commonly used software.

More to it than that, Razy ransomware is configured to not encrypt files in key Windows folder, such as:

  • %AppData%
  • %Windows%
  • %SystemDrive%

When it encrypts the files, Razy appends to them the file extension .razy and the encrypted files may look like the following:

razy-ransomware-encrypted-file-sensorstechforum

To encrypt the files, Razy ransomware uses a very strong encryption algorithm. It is called Advanced Encryption Standard (AES) and can take months to years to break directly even by powerful computers. Since direct decryption is next to impossible, malware researchers are focused on looking for holes and exploits in the code of Razy, so that they may release a free decryptor. We will update this article as soon as there is one and in the meantime, you may try the decryption methods illustrated at the bottom of this article.

After a successful encryption has occurred, Razy ransomware, drops two files on the %Desktop% of the compromised computer:

  • !! DECRYPT MY FILES !! .HTML
  • Razy.jpg

The !! DECRYPT MY FILES !! .HTML file contains ransom instructions with a hotlink to what appears to be an anonymous payment web page which can assure safety to the cyber-crooks. It has the following message in it:

→“razy
PAY TO GET YOUR DATA BACK! HERE
PAY TO GET YOUR DATA
CLICK ON THIS BUTTON
• PAY HERE
• Twitter
• Email
©RAZYDECRYPT 2016.”

In addition to this, Razy may tamper with the following key to change the wallpaper to razy.jpg:

→HKEY_CURRENT_USER\Control Panel\Desktop “Wallpaper”=”C:\Users\{User’s Profile\Desktop\razy.jpg”

The wallpaper changed by Razy has the following note in it:

→ “!ATTENTION!
ALL YOUR FILES HAVE BEEN ENCRYPTED –
OPEN -> !! DECRYPT MY FILES !!.html TO DECRYPT YOUR FILES”

Razy Ransomware – Remove It and Try to Revert Your Files

Even the creators of Razy ransomware did not expect it to go out into the wild, since they have contacted malware researchers with the statement that they did not post the virus in the wild. Either way, paying the real cyber-criminals behind this Nasty virus is not recommended, and you should immediately remove it and try to get your files back

Razy ransomware can be removed very easily if you make sure to follow the Manual or Automatic instructions below, depending on your tech savviness. Either way, the most recommended way to remove Razy swiftly and in a simple manner remains to be the usage of an advanced anti-malware program, and we highly advise it.

To attempt and get your files back to normal, in the meantime, there is no direct solution. However, you can try out step “3. Restore files encrypted by Razy” below. It contains alternative methods, and there may be no guarantee they will work, but in case you have made a backup and are lucky there is a chance you may revert at least a small portion of your data.

Manually delete Razy from your computer

Note! Substantial notification about the Razy threat: Manual removal of Razy requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Razy files and objects.
2. Find malicious files created by Razy on your PC.
3. Fix registry entries created by Razy on your PC.

Automatically remove Razy by downloading an advanced anti-malware program

1. Remove Razy with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Razy in the future
3. Restore files encrypted by Razy
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.