Remove RedEye Ransomware Virus - Restore .RedEye Files

Remove RedEye Ransomware Virus – Restore .RedEye Files

This article will aid you to remove RedEye Ransomware virus completely. Follow the ransomware removal instructions given near the end of the article.

RedEye Ransomware is a virus that encrypts your files and demands money as a ransom to get your files restored. Malware researchers have found out that this ransomware is also a wiper type, meaning that it wipes data clean off from your PC and erase the MBR (Master Boot Record) so you cannot access your computer afterward. The RedEye Ransomware cryptovirus will encrypt your file data, while placing the .RedEye extension to each file and making them 0 KB in size. Continue reading the article and see how you could try to potentially recover some of your file data.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files on your computer system and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with the AES encryption algorithm. All locked files will become unusable after encryption which will leave them with the .RedEye extension.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by RedEye


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss RedEye.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

RedEye Ransomware Virus – Infection Spread

RedEye Ransomware virus might spread its infection in various ways. A payload dropper which initiates the malicious script for this ransomware is being spread around the World Wide Web, and researchers have gotten their hands on a malware sample. If that file lands on your computer system and you somehow execute it – your computer system will become infected.

In the below screenshot you can view the detection of the RedEye Ransomware payload file made on the VirusTotal service:

Freeware which is found on the Web can be presented as helpful also be hiding the malicious script for the cryptovirus. Refrain from opening files right after you have downloaded them. You should first scan them with a security tool, while also checking their size and signatures for anything that seems out of the ordinary. You should read the tips for preventing ransomware located at the corresponding forum thread.

RedEye Ransomware Virus – Technical Information

RedEye Ransomware is a virus that encrypts your files and places a ransom note message. The extortionists want you to pay a ransom fee for the alleged restoration of your files.

RedEye Ransomware cryptovirus could make entries in the Windows Registry to achieve persistence, and could launch or repress processes in a Windows environment. Such entries are typically designed in a way to launch the virus automatically with each start of the Windows operating system.

After encryption the RedEye Ransomware virus shows a ransom note message window. You can see the contents of the window screen from the following screenshot given down here:

The ransom note states the following:

RedEye Ransomware
All your personal files has been encrypted with an very strong key by RedEye!
(Rijndael-Algorithmus – AES – 256 Bit)
The only way to get your files back is:
– Go to http://redeye85x9tbxiyki.onion/tbxIyki – Enter your Personal ID
and pay 0.1 Bitcoins to the adress below! After that you need to click on
“Check Payment”. Then you will get a special key to unlock your computer.
You got 4 days to pay, when the time is up,
then your PC will be fully destroyed!
Your personal ID: [redacted]

The note of the RedEye Ransomware cryptovirus states that your files are encrypted. You are demanded to pay money in Bitcoins to allegedly restore your files. However, you should NOT under any circumstances pay any ransom sum. Your files may not get recovered, and nobody could give you a guarantee for that. Adding to that, giving money to cybercriminals will most likely motivate them to create more ransomware viruses or commit different criminal activities. That may even result to you getting your files encrypted once again.

However, in case you click on “Do it!” button option on the “Terminate PC” screen or when the timer runs out, your computer will restart and thus the MBR (Master Boot Record) will be replaced deeming the system inaccessible.

The above message will pop up on the screen of your computer instead of it loading your OS (Operating system) like it should.

The text states the following:

RedEye Terminated your computer!

The reason for that could be:
– The time has expired
– You clicked on the ‘Destroy PC’ button

There is no way to fix your PC! Have Fun to try it

My YouTube Channel: iCoreX <- Subscribe :P Add me on discord! iCoreX#3333 <- Creator of Jigsaw, Annabelle & RedEye Ransomware! My old discord account named ’ iCoreX#1337’ got terminated by discord.

Interestingly enough, the malware researcher Jakub Kroustek shared on twitter that the malware author has also left details about his YouTube channel in the rewritten MBR (Master Boot Record).

RedEye Ransomware Virus – Encryption Process

What is known for the encryption process of the RedEye Ransomware virus is that every file that gets encrypted will become simply unusable. All encrypted files will receive the .RedEye extension appended to them and become 0 KB in size. Files will become locked with the AES 256-bit military-grade encryption algorithm.

Researchers state that this is a complete wiper and not a typical ransomware, much like the Annabelle Ransomware Virus that is from the same malware author.

The following files are known to become encrypted by this ransomware:

→.bmp, .doc, .docx, .jpg, .png, .ppt, .pptx, .mp3, .xsl, .xslx

That is not the full list with the targeted extensions of files which are sought to get encrypted by the ransomware threat. The article will be duly updated when and if this list becomes complete.

The RedEye Ransomware cryptovirus could be set to erase all the Shadow Volume Copies from the Windows operating system with the help of the following command:

→vssadmin.exe delete shadows /all /Quiet

Note! Most of its variants rewrite the MBR (Master Boot Record) so your system is no longer operable, but if the case is that the MBR is just erased, you could try to recover the information on your drives by following the below instructions.

How to Try and Recover Drives Locked by RedEye Virus

We have decided to create theoretical instructions to help you try recovering at least some of your important files. Here is what you will need to have for the instructions:

  • A screwdriver, corresponding to your desktop/laptop.
  • A secure computer that is scanned for malware and cleaned and has a proper ransomware protection.
  • Patience.

First of all, you should choose the safe computer from which to scan your files to be a powerful Windows machine which is also secured. After securing the operating PC, you should prepare it for the decryption process which will most likely be lengthy. This is why we recommend changing the power settings so that your decryption computer does not automatically hibernate or sleep while left decrypting the drive.

Step 1: Click on the battery icon in your system tray (next to the digital clock) in Windows and then click on More Power Options.
Step 2:The Power options menu will appear. In your power plan click on Change Plan Settings.
Step 3: In your plan’s settings make sure you set “Turn off the display” and “Put computer to sleep” to “Never” from the drop down minutes menu.
Step 4: Click on Save Changes and close it.

Recovery Phase

For the recovery process, we have outlined several often-met drive migration scenarios which can be possible between different computers:

  • From Laptop to Laptop with no extra components.
  • From Desktop to Desktop with no extra components.
  • From Laptop to Desktop with a SATA cable if the Desktop has an outdated chipset.
  • From Desktop to Laptop with a SATA cable if the Laptop has a newer chipset.

To simplify the process, we recommend you to choose machines that do not require any extra cables or components for the drive to run on them. In case you do not have such possibility, we recommend using an external SATA-USB adapter.

Step 1: Remove battery and power from your laptop. For desktop computers, please remove eliminate the power from the contact.

Step 2: Using the screwdriver, unscrew the case which carries the hard drive. For laptops, you should follow these steps:


Step 3: Remove the hard drive again with the screwdriver. It will look similar to the one on the picture below:


Step 4: Plug-in the hard drive on a secure computer which has an internet connection and Windows installed and screw it in firmly. If connected directly, the hard drive should be detected by the OS as a separate partition, similar to the picture below:


Step 5: After you have connected the drive, you will likely not be able to open it, because it’s sectors are encrypted. However, because only some of the sectors are encrypted, enough to render the drive no longer able to be opened, you may have a chance if you use a data recovery software to recover the files from the drive as you were scanning a lost partition. Most data recovery programs have support for scanning broken partitions. Read below to see some programs that can help you out with the data restoration.

Remove RedEye Ransomware Virus and Restore .RedEye Files

If your computer system got infected with the RedEye Ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Tsetso Mihailov

Tsetso Mihailov

Tsetso Mihailov is a tech-geek and loves everything that is tech-related, while observing the latest news surrounding technologies. He has worked in IT before, as a system administrator and a computer repair technician. Dealing with malware since his teens, he is determined to spread word about the latest threats revolving around computer security.

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share