Ransomware variant, known by the name REKTLocker has been reported to use the .rekt file extension and the RSA-2048 encryption algorithm to encipher user data. The virus then changes the wallpaper with the ransom demands, wanting the sum of 1 BTC as a ransom payoff. Users who have become unfortunate victims of this malware are strongly advised by experts NOT to pay any ransom money and fight off this malware by isolating it and removing it and trying to restore the files themselves. We recommend that you read this article thoroughly to learn more information about REKTLocker ransomware and how to restore your files and remove it from your system.
|Short Description||REKTLocker encrypts the files of the systems it infects, asking 1 BTC as a ransom payoff.|
|Symptoms||Files are encrypted and no longer accessible with an added .rekt file extension and a dropped Readme.txt file.|
|Distribution Method||Via malicious URLs, malicious e-mail attachments or other forms of online spam.|
See If Your System Has Been Affected by malware
Malware Removal Tool
|User Experience||Join our forum to Discuss REKTLocker Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
REKTLocker – Distribution Methods
Similar to other ransomware, to spread and infect victims while they are unsuspecting, REKTLocker may use a set of tools that might help it reach its goals:
- Malware obfuscators.
- Exploit Kits.
- Spam bots or spamming services.
- Third-party advertisers and ad-supported PUP services.
These tools may be used to slither the malware in the form of malicious web links or malicious attachments. The web links may seem legitimate when scanned for malware, but they may cause browser redirects to the actual infection URLs that may inject a malicious script and drop the payload in a drive-by manner.
Malicious attachments, however, may carry an exploit kit or be in a .js, .exe, .dll or .tmp files which may cause the infection. Such are primarily posted as e-mail attachments that usually resemble Adobe Reader or Microsoft Office documents.
REKTLocker – More Information
As soon as REKTLocker has been initiated on the computer of the user, it may drop its malicious files in the following folders:
- %User’s Profile%
The files dropped by REKTLocker may be more than one, and they may have different file formats depending on what they have been created to do. For example, if the ransomware drops a .BAT (Batch file) it is most likely dropped to delete the backups and shadow volume copies of the computer, using the following administrative command:
→ vssadmin delete shadows /all /quiet
As soon as it has dropped the files, the REKTLocker ransomware may create malicious registry values in the following Windows Registry keys for it’s executable that encrypts files to run when Windows starts up:
→ HKEY_LOCAL_MACHINE\Software \Microsoft\Windows\ CurrentVersion \Run
HKEY_CURRENT_USER\ Software\Microsoft \Windows\ CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft \Windows\ CurrentVersion\RunOnce
HKEY_CURRENT_USER\ Software\Microsoft \Windows\CurrentVersion \RunOnce
After this has been done, REKTLocker may begin the encryption process. The virus may use an RSA-2048 encryption algorithm which will generate a decryption key and send it to the cybercriminals’ C&C (Command and Control) server after encrypting files of the following type:
- Audio files.
- Pictures and other image files.
- Video files.
- Photoshop files.
- Microsoft Office documents.
- Web files.
- Other files associated with widely used software.
After the encryption has been completed, REKTLocker ransomware changes the structure of the files making them inaccessible and looking like the following example:
After encryption, the REKTLocker ransomware adds a Readme.txt file along with a photo which it changes as a wallpaper. Here is what they both state:
REKTLocker Ransomware – Conclusion, Removal, and File Restoration
As a bottom line, REKTLocker has most likely been purchased as a service (RaaS) online from a deep web forum and the people behind it, have inserted some crooked humor, by including the file extension .rekt in it, with a reference to a so-called “owning” in video games. We advise not to respect the demands of these cyber-crooks and focus on dealing with the threat yourself. To do this, you should first remove REKTLocker ransomware and after this, focus on getting your files back by following the instructions below.
To remove REKTLocker, we have designed methodologically arranged steps that will help you with manually locating and removing the files as long as you have the exact knowledge of where all the files are. For maximum effectiveness, we urge you to use an advanced anti-malware program, because it will not only automatically detect and remove REKTLocker and other hazards to your PC, but will also protect it in the future as well.
In case you are interested in restoring your files, make sure to back the encrypted data first and DO NOT reinstall Windows. This will help programs such as data recovery software which we suggest using in step “3. Restore files encrypted by REKTLocker” to act more effectively and revert at least a small portion of your files. While you attempt to restore your files, we also strongly recommend following this article and our updates, since we will immediately post an update as soon as malware research experts have released a free decryptor for REKTLocker ransomware.
- Guide 1: How to Remove REKTLocker from Windows.
- Guide 2: Get rid of REKTLocker on Mac OS X.
- Guide 3: Remove REKTLocker in Google Chrome.
- Guide 4: Erase REKTLocker from Mozilla Firefox.
- Guide 5: Uninstall REKTLocker from Microsoft Edge.
- Guide 6: Remove REKTLocker from Safari.
- Guide 7: Eliminate REKTLocker from Internet Explorer.
- Guide 8: Disable REKTLocker Push Notifications in Your Browsers.
How to Remove REKTLocker from Windows.
Step 1: Boot Your PC In Safe Mode to isolate and remove REKTLocker
Step 2: Uninstall REKTLocker and related software from Windows
Here is a method in few easy steps that should be able to uninstall most programs. No matter if you are using Windows 10, 8, 7, Vista or XP, those steps will get the job done. Dragging the program or its folder to the recycle bin can be a very bad decision. If you do that, bits and pieces of the program are left behind, and that can lead to unstable work of your PC, errors with the file type associations and other unpleasant activities. The proper way to get a program off your computer is to Uninstall it.
Step 3: Clean any registries, created by REKTLocker on your computer.
The usually targeted registries of Windows machines are the following:
You can access them by opening the Windows registry editor and deleting any values, created by REKTLocker there. This can happen by following the steps underneath:
Get rid of REKTLocker from Mac OS X.
Step 1: Uninstall REKTLocker and remove related files and objects
1. Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:
- Go to Finder.
- In the search bar type the name of the app that you want to remove.
- Above the search bar change the two drop down menus to “System Files” and “Are Included” so that you can see all of the files associated with the application you want to remove. Bear in mind that some of the files may not be related to the app so be very careful which files you delete.
- If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.
In case you cannot remove REKTLocker via Step 1 above:
In case you cannot find the virus files and objects in your Applications or other places we have shown above, you can manually look for them in the Libraries of your Mac. But before doing this, please read the disclaimer below:
You can repeat the same procedure with the following other Library directories:
Tip: ~ is there on purpose, because it leads to more LaunchAgents.
Step 2: Scan for and remove REKTLocker files from your Mac
When you are facing problems on your Mac as a result of unwanted scripts and programs such as REKTLocker, the recommended way of eliminating the threat is by using an anti-malware program. SpyHunter for Mac offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.
Remove REKTLocker from Google Chrome.
Step 1: Start Google Chrome and open the drop menu
Step 2: Move the cursor over "Tools" and then from the extended menu choose "Extensions"
Step 3: From the opened "Extensions" menu locate the unwanted extension and click on its "Remove" button.
Step 4: After the extension is removed, restart Google Chrome by closing it from the red "X" button at the top right corner and start it again.
Erase REKTLocker from Mozilla Firefox.
Step 1: Start Mozilla Firefox. Open the menu window
Step 2: Select the "Add-ons" icon from the menu.
Step 3: Select the unwanted extension and click "Remove"
Step 4: After the extension is removed, restart Mozilla Firefox by closing it from the red "X" button at the top right corner and start it again.
Uninstall REKTLocker from Microsoft Edge.
Step 1: Start Edge browser.
Step 2: Open the drop menu by clicking on the icon at the top right corner.
Step 3: From the drop menu select "Extensions".
Step 4: Choose the suspected malicious extension you want to remove and then click on the gear icon.
Step 5: Remove the malicious extension by scrolling down and then clicking on Uninstall.
Remove REKTLocker from Safari.
Step 1: Start the Safari app.
Step 2: After hovering your mouse cursor to the top of the screen, click on the Safari text to open its drop down menu.
Step 3: From the menu, click on "Preferences".
Step 4: After that, select the 'Extensions' Tab.
Step 5: Click once on the extension you want to remove.
Step 6: Click 'Uninstall'.
A pop-up window will appear asking for confirmation to uninstall the extension. Select 'Uninstall' again, and the REKTLocker will be removed.
Eliminate REKTLocker from Internet Explorer.
Step 1: Start Internet Explorer.
Step 2: Click on the gear icon labeled 'Tools' to open the drop menu and select 'Manage Add-ons'
Step 3: In the 'Manage Add-ons' window.
Step 4: Select the extension you want to remove and then click 'Disable'. A pop-up window will appear to inform you that you are about to disable the selected extension, and some more add-ons might be disabled as well. Leave all the boxes checked, and click 'Disable'.
Step 5: After the unwanted extension has been removed, restart Internet Explorer by closing it from the red 'X' button located at the top right corner and start it again.
Remove Push Notifications caused by REKTLocker from Your Browsers.
Turn Off Push Notifications from Google Chrome
To disable any Push Notices from Google Chrome browser, please follow the steps below:
Step 1: Go to Settings in Chrome.
Step 2: In Settings, select “Advanced Settings”:
Step 3: Click “Content Settings”:
Step 4: Open “Notifications”:
Step 5: Click the three dots and choose Block, Edit or Remove options:
Remove Push Notifications on Firefox
Step 1: Go to Firefox Options.
Step 2: Go to “Settings”, type “notifications” in the search bar and click "Settings":
Step 3: Click “Remove” on any site you wish notifications gone and click “Save Changes”
Stop Push Notifications on Opera
Step 1: In Opera, press ALT+P to go to Settings
Step 2: In Setting search, type “Content” to go to Content Settings.
Step 3: Open Notifications:
Step 4: Do the same as you did with Google Chrome (explained below):
Eliminate Push Notifications on Safari
Step 1: Open Safari Preferences.
Step 2: Choose the domain from where you like push pop-ups gone and change to "Deny" from "Allow".