This article explains the issues that occur in case of infection with .risk files virus and provides a complete guide on how to remove malicious files and how to potentially recover files encrypted by this ransomware.
The appearance of .risk extension in the names of your valuable files is a sure sign of ransomware infection. This threat has recently been detected in the wild by security researchers. It is dubbed .risk files virus apparently after its associated extension. As identified in the course of its analysis it belongs to the Dharma ransomware family. The fact that your files are corrupted and inaccessible is used by cyber criminals as a precondition for the extortion of ransom payment.
Threat Summary
| Name | .risk Files Virus |
| Type | Ransomware, Cryptovirus |
| Short Description | A version of the CrySyS/Dharma ransomware that is designed to encrypt valuable files stored on infected computers and then extort a ransom from victims. |
| Symptoms | Important files are encrypted and renamed with the extension .risk. A ransom note appears on PC screen to present ransom payment instructions. |
| Distribution Method | Spam Emails, Email Attachments |
| Detection Tool | See If Your System Has Been Affected by .risk Files Virus Download Malware Removal Tool | User Experience | Join Our Forum to Discuss .risk Files Virus. |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
.risk Files Virus – Distribution
Hackers who stands behind the launch of this devastating threat are likely to use at least one of the most commonly used spread channels.
One way to deliver .risk files virus to users’ devices is definitely malspam. Malspam is technique that enables hackers to spread malicious software via spam email campaigns. And there are several specific traits of these emails. The first one is spoofed email address, sender or both. These emails are often designed to present the names of representatives of well-known companies in order to look trustworthy and eventually trick you into installing the ransomware on your device. Another trait that should always warn you that something may get wrong is the presence of file attachment. There are many registered cases of infected users who had made the mistake to open a malicious file attachment on their devices which resulted in the activation of malicious code. The last trait of an email that attempts to deliver ransomware is URL address presented as an in-text link, button, image, banner or other clickable element.
In fact, URLs that land on infected web pages could be spread across other channels except email. Among them are different social media platforms, forums, and sometimes comments under articles. As a result of visiting such a page you unnoticeably activate a malicious script that is part of its code and eventually grant the ransomware access to your device.
.risk Files Virus – Overview
The ransomware dubbed .risk files virus infects computer systems in order to reach target types of files and encode them with the help of sophisticated cipher algorithm. It has been identified as another strain of the infamous Dharma ransomware. Recently lots of iterations of the same ransomware family have been detected in the wild. Among the last reported by our team are
As its predecessors the .risk variant of Dharma ransomware interferes with system settings in order to become able to complete the attack. It passes through several infection stages fist of which is the establishment of malicious files on the system. For it the ransomware could be either set to create needed files directly on the system or to connect its command and control server and download the additional malicious files. Folder locations that may be used for the storage of these malicious files are:
- %AppData%
- %Local%
- %LocalLow%
- %Roaming%
- %Temp%
- %Windows%
Malicious traits could be also found under the registry sub-keys Run and RunOnce. The most common reason why these two keys are often hit by ransomware is their functionality to auto execute files and processes. Once .risk crypto virus manages to add its malicious values under these keys its infection files load together with all other essential system files on each system start. Here are the exact locations of Run and RunOnce sub-keys:
→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
When .risk files virus completes all initial system modifications its’s time for it to load its built-in encryption module and eventually encode target data. Among the files it is set to corrupt could be all of the following:
- Audio files
- Video files
- Document files
- Image files
- Backup files
- Banking credentials, etc
During encryption, .risk ransomware transforms the original code of target files with the help of strong cipher algorithm such as AES and RSA. Then it marks each corrupted file with the extension .risk. Unfortunately, all .risk files remain inaccessible until an efficient recovery method reverts back their code. This fact enables threat actors to extort a ransom payment from you. How they do this is via ransom message created on your device. The text of this message is likely to force you into contacting hackers so they can send you further instructions of the ransom payment. What they could want is an amount from 0.1 to 1.0 Bitcoin.
The good news is that hackers’ decrypter is not the only tool that could restore .risk files. To find more alternatives complete the removal process and check the restore data part of the guide that follows.
Remove .risk Files Virus and Restore Datas
The so-called .risk files virus is a threat with highly complex code that plagues not only your files but your whole system. So infected system should be cleaned and secured properly before you could use it regularly again. Below you could find a step-by-step removal guide that may be helpful in attempting to remove this ransomware. Choose the manual removal approach if you have previous experience with malware files. If you don’t feel comfortable with the manual steps select the automatic section from the guide. Steps there enable you to check the infected system for ransomware files and remove them with a few mouse clicks.
In order to keep your system safe from ransomware and other types of malware in future, you should install and maintain a reliable anti-malware program. Additional security layer that could prevent the occurrence of ransomware attacks is
Make sure to read carefully all the details mentioned in the step “Restore files” if you want to understand how to fix encrypted files without paying the ransom. Beware that before data recovery process you should back up all encrypted files to an external drive as this will prevent their irreversible loss.
Manually delete .risk Files Virus from your Mac
Remove a toolbar from Mozilla Firefox
Remove a toolbar from Google Chrome
Remove an extension from Safari and reset it.
Automatically remove .risk Files Virus from your Mac
When you are facing problems on your Mac as a result of unwanted scripts and programs such as .risk Files Virus, the recommended way of eliminating the threat is by using an anti-malware program. Combo Cleaner offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.
Gergana Ivanova
Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections. She believes that in times of constantly evolving dependency of network connected technologies, people should spread the word not the war.
Follow Me:
