Remove Reetner Ransomware – Restore Your Data

Remove Reetner Ransomware – Restore Your Data

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article will aid you to remove the Reetner ransomware effectively. Follow the ransomware removal instructions provided at the bottom.

Reetner ransomware is the name of a cryptovirus. Recently, malware researchers have found a program related to it that is responsible for creating its ransom note messages. After encryption, your current wallpaper will be changed to one that shows instructions for the ransom. These instructions ask that you to “contact the administrators at your institution”. That implies that firms and businesses could be the main target of the virus. The cybercriminals behind it will demand money as payment for getting your files back. Read on and see what you could try to potentially recover some of your data.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer system and it shows a ransom note afterward.
SymptomsThis ransomware virus will encrypt your files and demand money as payment for recovering your files.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Reetner


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Reetner.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Reetner Ransomware – Distribution Methods

Reetner ransomware could be distributed by using several methods. However, the method that is the most widespread is via a payload dropper file which initiates the malicious script for the ransomware. Samples have been spotted by malware researchers and you can preview one of them sent for analysis on the VirusTotal service right here:

The Reetner ransomware might be using other methods to deliver the payload file, such as social media sites and file-sharing networks. Freeware applications found on the Internet could be promoted as helpful but also could hide the malicious script for this virus. Before opening any files after you have downloaded them, you should instead scan them with a security program. Especially if they come from suspicious places, such as emails or links. Also, don’t forget to check the size and signatures of such files for anything that seems out of place. You should read the ransomware prevention tips given in the forum section.

Reetner Ransomware – In-Depth Overview

Reetner ransomware is a cryptovirus. Malware researchers have recently discovered part of the virus and more precisely – the ransom note generator. The idea of the cybercriminals to have the ransom note generator separate from its encrypting tool, might be to test out how security programs fair with them separately, so that the malware creators could try to obfuscate their malicious files further in a new way. That, or the ransomware could prove to still be in a developmental stage.

The Reetner ransomware could be set to make new registry entries in the Windows Registry to achieve a higher level of persistence. Those entries are usually designed in a way that will start the virus automatically with every launch of the Windows Operating System, like in the example given below:


The ransom message will be placed inside a file named note.html. That is what is said inside the initial ransom note, as seen below:

That note reads the following:

Why I can’t open my files?
All your important files were protected with a strong military-grade encryption algorithm (AES256 + RSA4096). More info here:
What can I do?
In the following computers there is a file named C:\note.html with more detailed instructions to recover your files. Contact the administrators at your institution as soon as possible.

And the above note is located on your Desktop as described on the image below:

That image is set as your new Desktop wallpaper and states:

All your files have been encrypted.
See the file “Unlock_My_Files” located on your Desktop for detailed instructions on how to recover your files.
Consulta el archivo “Unlock_My_Files” ubicado en el escritorio para obtener instrucciones detalladas sobre como recuperar tus archivos.

In the final ransom note file, different sum of money could be demanded as the ransom, depending on who got infected (be it a business, firm or a single home user for instance). Never pay the malware creators, whatever sum of money is asked from you. By paying, you can motivate them to make more ransomware viruses or to commit other crimes.

Reetner Ransomware – Encryption Process

There is no official list with file extensions that the Reetner ransomware seeks to encrypt and the article will be duly updated if that changes. The encryption algorithms which are used are AES 256-bit and RSA 4096-bit or at least those are the ones stated in the ransom note.

The Reetner cryptovirus is very likely to erase the Shadow Volume Copies from the Windows operating system by executing the following command:

→vssadmin.exe delete shadows /all /Quiet

If the above-stated command is executed in the command prompt of the Windows operating system, that will make the encryption process more effective, as one of the ways for file recovery will be gone. Keep reading to find out what methods you can try out to potentially restore some of your data.

Remove Reetner Ransomware and Restore Your Data

If your computer got infected with the Reetner ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share