A rather unorthodox ransomware variation has been reported to use the notorious program WinRar to archive and lock the users’ files using a password. The virus demands users to contact Realxakepok@bigmir.net e-mail address in order to restore their files. The cyber-criminals behind the e-mail address will most likely provide instructions for making a ransom payoff which may be in BTC or other cryptocurrency. Users are stongly advised not to give themselves into the demands of the cybercrook(s) behind the ransomware and try alternative methods for free to revert their files after removing the virus with an advanced anti-malware program.
|Short Description||The ransomware locks files with a password and uses a strong algorithm to lock the password in a key.txt file.|
|Symptoms||All files are in a .RAR file extension. A pop-up appears with ransom instructions when WinRar is Opened.|
|Distribution Method||Spam Emails, Email Attachments, File Sharing Networks.|
|Detection Tool|| See If Your System Has Been Affected by Realxakepok |
Malware Removal Tool
|User Experience||Join our forum to Discuss zCrypt Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Realxakepok Ransomware – Ways It Spreads
Realxakepok is believed to be spread on individual machines, instead of organizations. This automatically suggests that the ransomware may use campaigns to massively be spread across potential victim PCs. Some of the most well-known massive methods for spreading malware are:
- Via spam e-mail attachments.
- By using malicious URLs featured in such spam mails or anywhere on the web.
- By uploading fake executables in websites disguised as legitimate software providing ones.
- Via adware or other unwanted programs.
Realxakepok Ransomware – Technical Overview
After a successful infection, the ransomware drops several .bat files on the compromised PC:
These files are reported by malware analysts on security forums to start the following processes in Windows Task Manager:
Realxakepok ransomware also creates the following files:
→ C:/Program Files/ Chaekgrewege/chaekgrewegeverifierService.html5
C:/Program Files/Chaekgrewege/ chaekgrewegeverifierTask.exe
In addition to that, Realxakepok ransomware virus makes different registry values in relation to chaekgrewege files.
After this is done, the file-locking process begins. Realxakepok uses WinRar to archive oftenly used types of files, for example:
→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com
After this is done, the ransomware wants a password everytime the user tries to open the files. In addition to the password, Realxakepok also has specific and serious demands that appear in a pop-up type of WinRar window:
→ “All your valuable files are archived indefinitely using
Password for the archive was generated randomly
and encrypted algorithm used in the military sphere.
This means that no one in the world can not help you
to receive a password, except for me. I’m not the
one who receives money and disappears. In this
case, you will get your 100% data back, but there
is little time restriction on a valid password, so
postpone and believe in miracles not worth it.
Your encrypted password stored on the disk
c: \ key.txt or folder c: \ windows \ key.txt.
It should be sent to e-mail firstname.lastname@example.org
and discuss payment method
Price password is symbolic twenty five euros.” Source: Bleeping Computer
After this is done, the ransomware saves a file, named “key.txt” which contains the password in an encoded format with one of the following encryption algorithms:
So far it is not clear what the password is, however the ransom e-mail address email@example.com is also associated with other cyber-threat which is a screenlocker type. The password of the other cyber-threat is believed to be “iamsorrygoodluck”.
Remove Realxakepok Ransomware Virus and Try Reverting The Files
Since this virus creates multiple files and registry entries you can use the information in this article in combination with the removal instructions to manually find them and delete them in safe mode after stopping them from Windows Task Manager as a process (if they are still running). However, for maximum effectiveness, cyber-security experts advise users to use a more automatic approach when removing data. It includes installing an advanced anti-malware tool which will find every single object created or modified by Realxakepok ransomware on your computer.
To restore your files, you may have couple of free options left. Since Realxakepok virus has not been reported to delete backups and shadow volume copies you may want to try and follow the instructions in step “3.Restore files encrypted by Realxakepok Ransomware” below. Other options which may work for you is by downloading a WinRar bruteforce password cracker and make a password list of different letter combination, but it is a time costly process. The final solution may be to purchase WinRar and contact the program’s support for assistance.