Russenger Virus – How to Remove & Restore .messenger-%random% Files

Russenger Virus – How to Remove & Restore .messenger-%random% Files

This article has been created in order to help you by explaining how to remove Russenger Virus virus from your computer system and how to restore .messenger-%random% encrypted files.

The Russenger virus is a newly discovered threat that contains a dangerous ransomware component. It encrypts user data and blackmails the victims to pay a ransom fee. It renames all victim files with the .messenger-%random% extension.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe main goal of the Russenger Virus is to encrypt sensitive user files and extort the victims for a ransom fee payment.
SymptomsThe Russenger ransomware component processes target files and renames them with the .messenger-%random% extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Russenger


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Russenger.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Russenger Virus – Infection Process

The Russenger virus is distributed using different methods. One of the primary ones involves the use of email messages containing social engineering elements that manipulate the users into infecting themselves with the malware threat. There are two primary ways of interacting with them:

  • File Attachments — The hackers can bundle the malware threats directly as files that are delivered with the message. They are usually masked as files of user interest and can also be bundled in archives – either standard ones or password-protected instances. The required passwords are inserted into the body contents.
  • Hyperlinks — In this case the Russenger virus hackers distribute the malware samples using links to offsite hosted instances. The most common way is by using text and graphics hijacked by popular web services. The messages pose as being sent by them and the links can take the form of application updates or software installers.

In relation to the above-mentioned case scenarios the hacker controllers can devise two additional methods. The first one depends on the creation of malware software installers which are send over email messages as well as hosted on malware download portals. They are made by taking the legitimate installers from the official vendors and modifying them to include the dangerous code. The other way is by sending them through scripts bundled in infected documents. They can take the form of various types: spreadsheets, presentations and rich text documents. When the victims open them up a notification prompt appears which asks them to enable the built-in scripts. If this is done the virus is downloaded from an offsite download page and the file is started.

The mentioned hacker-controlled sites are usually designed to look like legitimate web sites. They can use titles, graphics and elements that are hijacked from legitimate sites and this further confuses the intended victims into interacting with them.

Another tactic is the use of browser hijackers to spread the Russenger virus. They represent malware browser plugins that change the default settings to point to a hacker-controlled site. During the initial infection the virus can be installed on the target host. These threats are usually made compatible with the most popular browsers: Mozilla Firefox, Microsoft Edge, Google Chrome, Internet Explorer, Safari and Opera.

Russenger Virus – Analysis and Activity

Computer security experts discovered a new ransomware threat known as the Russenger virus. The initial security analysis does not reveal a correlation with any of the known malware familes. This means that the hacker operators have devised it from scratch or have a used a previously unknown code base. It uses a malware engine that can be updated in future versions to include improved functionality.

At the moment it does not include any components other than the infection engine itself and the ransomware module. This means that updated versions can follow a several step infection process. The first stage of the Russenger virus infection can prepare the system for the encryption phase. Such behavior begins with a stealth protection feature that ensures that the engine will not be interrupted ot removed by security software. The hackers devise a special check that scans the system for any security software. If such are found they can be removed or bypassed. Advanced strains can be configured to delete themselves if they are unable to complete this step. This is done in order to prevent detection by the security software.

The next step would be to start an information stealing command that can steal sensitive information from the victims and their machines. The analysts usually classify the data into two main categories:

  • Personal Data — This information can be used by the hackers to directly expose the victim’s identity. The engine is programmed in such a way to extract strings related to their name, address, location, interests, accounts and passwords.
  • System Data — The harvested system information can include data about the operating system, the installed hardware components and other related data.

Lately advanced ransomware threats have been found to have an emphasis on the regional language settings. This is done in order to select the most appropriate ransom note. The harvested system information thereby interacts actively with the ransomware component.

Another consequence would be malware system changes. The Russenger virus engine can impact different system components that can have a lasting impact on the compromised machines. Some examples are the following:

  • Boot Options — The malware engine can disable the recovery options thereby making it impossible for the users to recover their computers on their own.
  • System Process Termination — The Russenger virus can kill certain operating system processes which can result in severe performance issues.
  • Windows Registry Modification — The virus engine can change application-specific registry values which can incapacitate them. Depending on the case this can also help the infection become a persistent threat. This means that it will be very hard for the victim users to remove it by themselves.
  • Additional Malware Delivery — The Russenger virus can be used as a first-stage delivery for other malware. This can include Trojans that can actively spy on the victims in real time as well as take over control of the affected machines.

The security trends shows that updated versions of ransomware usually include the ability to hijack the sensitive data obtained by the information engine. As this often includes personal files the hacker operators can use it to conduct crimes such as identity theft and financial abuse.

Russenger Virus – Encryption Process

As soon as all components have finished executing the ransomware engine is started. The Russenger virus uses a built-in list of target file type extensions that process the victim files with a strong cipher. Usually it is made up of the following:

  • Archives
  • Documents
  • Images
  • Videos
  • Music
  • Backups
  • Databases

All processed files are renamed with the .messenger-%random% extension. When the module has completed executing a ransomware note is crafted in a file called Инструкция по дешифровке.txt (Russian for “Decryption Instructions”) which contain the following message in Russian:

Вся ваша информация на этом компьютере была зашифрована.
Зашифрованные документы имеют расширение .messenger-******
Для получения инструкций по дешифровке напишите письмо на адрес:
В теме письма укажите ваш код для разшифровки:
Если вам приходит ответ, что почтовый адрес не существует:
1. Попробуйте написать нам с других емеил,,;
2. Попробуйте написать через время.

A machine-translated version of it reads the following:

All your information on this computer has been encrypted.
Encrypted documents have the extension .messenger – ******
For instructions on decryption write a letter to:
In the subject line write your code for decryption:
If you receive an answer that the mailing address does not exist:
1. Try to write to us from other emil,,;
2. Try to write through the time.

How to Remove Russenger Virus and Restore .messenger-%random% Encrypted Files

In order to make sure that this malware is permanently gone from your computer, you should follow the manual or automatic removal instructions down below. If you have the experience in removing ransomware manually, we advise you to focus on the first 2 steps from the manual removal and to look for the registry files which we have explained in the analysis part above. Otherwise, if you want a more automatic and faster solution and lack the expertise in malware removal, we urge you to download an advanced anti-malware program, which aims to automatically perform the removal operation of Russenger ransomware and secures your computer against future infections in real-time.

If you want to restore files that have been encrypted by this ransomware infection, we advise you to try out the alternative tools for file recovery down below in step “2. Restore files encrypted by .messenger-%random% Files Virus”. They may not guarantee fully that you will recover all of the files, but if you haven’t reinstalled your OS already, there is a good chance that you might just restore them.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share