Reyptson Ransomware Removal - Restore .REYPTSON Files

Reyptson Ransomware Removal – Restore .REYPTSON Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

The article will aid you remove Reyptson ransomware fully. Follow the ransomware removal instructions given at the end of this article.

Reyptson is a ransomware virus that targets mainly Spanish speakers. After your files get encrypted, they will become inaccessible and get the .REYPTSON extension appended to them. AES with 128-bit ciphers is the encryption algorithm being used for locking the files. The Reyptson cryptovirus tampers with registry entries and leaves a ransom note in Spanish, with demands for paying the ransom of 200 euros. Keep on reading to see how you could try to potentially restore some of your files.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer and displays a ransom message with instructions afterward.
SymptomsThe ransomware will encrypt your files with the .REYPTSON extension and then shows a ransom note written in Spanish demanding 200 euros.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Reyptson


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Reyptson.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Reyptson Ransomware – Infection

Reyptson ransomware has an interesting way of infecting computers and spreading after that. The payload file that executes the malicious script for this ransomware, which in turn infects your computer system, requires a bit of social engineering to work. At first, you will open or receive the following message in your E-mail:

If you click on the “Ver o imprimir factura” button you will trigger a redirect which connects to the following address:

  • http://www.melvinmusicals[.]com/facefiles/factura.pdf.rar

That address could change with future versions and updates of the virus. From the URL address, a fake PDF file is downloaded on your system that requires you to open it. Here you can see a sample of that file, submitted to the VirusTotal service:

That factura.pdf.exe file is the actual payload for the ransomware. If you execute it, your computer device becomes infected with the Reyptson virus. While your files are being encrypted, and a lot of processes are launched to make copies of the initial malicious file and replicate the virus. Also, the virus will launch every time you start your system. Moreover, you will see the following window pop up on your screen multiple times:

That is the Adobe Acrobat Reader being started with a special script that is made to look like the Reader software is hogging resources while trying to open a file called “SpotifyWebHelper.pdf” which is “missing”. That is not true and only seems that way, while the virus is silently encrypting your files in the background. The reason for that is that if you restart your computer or stop the internet connection at the moment of encryption, you will cut off the encryption process, leaving some of your files intact. There are other ways to stop ransomware and you should read the tips for ransomware prevention thread in our forum to know more.

The Reyptson virus might spread its malicious files over social media sites and file-sharing networks. Be careful with what you download from the internet and make sure you first scan it with a security tool. Furthermore, the Reyptson ransomware will spread further, once it infects your machine, via the Simple Mail Transfer Protocol and Thunderbird as it sends the same message from where the infection starts to all your contacts it finds. Thus, it can spread all over the world, if people click on the button that downloads the payload file.

Reyptson Ransomware – Analysis

Reyptson ransomware is a cryptovirus. After your files get encrypted, a ransom message will show up written in Spanish. Judging by that message, it is easy to presume that the ransomware is targeted at Spanish speaking users, but it is not excluded to hit other ones over the World as well, especially with its payload being distributed to your contact list in both Thunderbird and Mail server.

Reyptson ransomware makes an entry in the Windows Registry, about five times to achieve persistence, and could launch or repress processes inside the Windows Operating System. Some entries are designed in a way that will start the virus or some of its parts automatically with each launch of the Windows OS, as seen right down below:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v “Spotify Web Helper v1.0” /f /d “%APPDATA%\Spotify\SpotifyWebHelper\Spotify.vbs

The ransom note will appear when the encryption process finishes. The note is written in the Spanish language and provides details about what the ransom price is, along with other instructions about what it will take to recover your files. The note has a plain text variant as well as one which is graphical and shows in a window.

The ransom note message with instructions has a version that shows as a pop-up window on your screen after the encryption process is completed. You can preview it from the below screenshot:

That ransom note message states this:

Accede a este sitio web:
En el tienes las instrucciones para recuperar tus ficheros y un soporte con el que
podrás contactarnos para recibir asistencia técnica.
Si no puedes acceder puedes entrar bajandote un navegador llamado tor de:
Y entrando a: http://37z2akkbd3vqphw5.onion/?usario=4406091797&pass=3411
Para poder descifrar tus ficheros tendrás que pagar 200€ pero si te retrasas mas
de 72H tendrás que pagar 500€

The actual ransom note is inside a file called Como_Recuperar_Tus_Ficheros.txt and you can see it here:

The text on it reads the following:

Como recuperar tus ficheros del cifrador Reyptson
Tienes toda la información en esta web:
Si no puedes entrar descarga el navegador tor desde:
y entra a: http://37z2akkbd3vqphw5.onion/?usuario=4406091797&pass=3411

Para poder descifrar tus ficheros tendras que pagar 200€
pero si te retrasas mas de 72H tendras que pagar 500€

Tus datos de acceso son:
Usuario: 4406091797
Contraseña: 3411

Reyptson ransomware describes in those ransom note files with instructions that your files are encrypted and to get them restored you need to pay a ransom of 200 euros. However, if you do not meet the initial deadline of 72 hours or three days, the sum you would have to pay will be 500 euro. You are given the following Web address on the TOR network service:


You can preview that URL page in the below snapshot:

There it says the following:


Actualmente todos los documentos como por ejemplo PDFs, Docs, txts y demás archivos ofimáticos están bloqueados completamente con una clave fuertemente tipada en AES-128 y no tienes forma de recuperar estos archivos a no ser que envíes un pago con las instrucciones que voy a darte.

Nosotros tenemos la clave de cifrado para que con un sólo click puedas recuperar todo lo que tenías anteriormente y sin perder absolutamente nada. Si quieres conseguir esta clave para poder descifrar los archivos tienes que enviarnos 200€ .

Dispones de 72 horas para realizar el pago de 200€. Si no se realiza el pago, la cantidad aumentara a 500€.

Para pagar los 200€ tienes que hacerlo a través de la plataforma Bitcoin.

El proceso es el siguiente, lo primero que tienes que hacer es crear un monedero bitcoin (gratis). Puedes hacerlo en cualquiera de estas webs:


Al crear el monedero recibirás la dirección del mismo (una cadena de texto), tienes que introducir los 200€ en tu monedero.

Para comprar los Bitcoins y meterlos en tu monedero puedes usar:


Una vez tengas los bitcoins transfiérelos a este monedero Bitcoin:


El sistema automático detectará cuando hayas pagado y la clave para descifrar todo será liberada.
Estado actual
No has pagado.

Fecha de duplicación del pago
El día 18 del mes 07 del año 2017 a las 15:05:56

Basically, there is little to no new information compared to what we have covered in the article up to this point. The criminals have even created a support page on that site platform. Either way, you should NOT under any circumstances contact or pay these cybercriminals. Your files may not get restored, and nobody could give you a guarantee for that. Furthermore, giving money to these criminals will likely motivate them to create more ransomware or do other criminal acts.

Reyptson Ransomware – Encryption

For the time being there is little information about the file extensions which the Reyptson ransomware seeks to encrypt. The following list is definitely followed in the encryption process, and thus files with the following extensions are being encrypted:

→.doc, .dot, .wbk, .docx, .docm, .dotx, .dotm, .docb, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .accdb, .db, .accde, .accdt, .accdr, .pdf, .ani, .anim, .apng, .art, .bmp, .bpg, .bsave, .cal, .cin, .cpc, .cpt, .dds, .dpx, .ecw, .exr, .fits, .flic, .flif, .fpx, .gif, .hdri, .hevc, .icer, .icns, .ico, .cur, .ics, .ilbm, .jbig, .jbig2, .jng, .2000, .jpeg-ls, .jpeg, .xr, .kra, .mng, .miff, .nrrd, .ora, .pam, .pbm, .pgm, .ppm, .pnm, .pcx, .pgf, .pictor, .png, .psd, .psb, .psp, .qtvr, .ras, .rbe, .jpeg-hdr, .logluv, .tiff, .sgi, .tga, .tiff, .tiff, .ufo, .ufp, .wbmp, .webp, .xbm, .xcf, .xpm, .xwd, .cpp, .h, .cs, .sln, .idb, .txt, .dat

Interestingly enough, files that have the .jpg extension could be left unencrypted and are not touched in any way.

All files that get encrypted by the Reyptson virus will receive the .REYPTSON extension appended to them, after the original file extension. File names are unchanged.

The encryption algorithm that is used is AES with 128-bit ciphers.

The Reyptson cryptovirus is has not been seen to delete the Shadow Volume Copies from the Windows operating system. That means that you might be able to recover your files from previous copies of Windows. If your computer got infected with the Reyptson ransomware, keep reading below and find out in what ways you could potentially recover your data files.

Remove Reyptson Ransomware and Restore .REYPTSON Files

If your computer got infected with the Reyptson ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided down below.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share