Experienced security specialists discovered a new variant of ransomware that called ‘Rectot ransomware‘. It appends the .rectot file extension to encrypted file names. Read below a brief summary of information related to this ransomware and how to restore or decrypt .rectot files for free.
Files encrypted by “.Rectot ransomware”
The .Rectot ransomware is a variant of crypto viruses. It affects all current versions of MS Windows OS like the Windows 10, Windows 8, Windows 7, Windows Vista and Windows XP. This ransomware virus uses very strong hybrid encryption with a large key to eliminate the possibility of brute force a key that will allow to decrypt encrypted photos, documents and music. The .Rectot ransomware virus encrypts almost of files, including common as:
.webp, .wm, .wpb, .mp4, .bc7, .xlsm, .dbf, .wbk, .mef, .dcr, .dwg, .xwp, .crt, .blob, .xld, .wcf, .srw, .wma, .rar, .xlgc, .yml, .mdbackup, .0, .csv, .slm, .doc, .mcmeta, .xdl, .epk, .mov, .pfx, .rtf, .wbc, .wire, .zdb, .tax, .rgss3a, .iwd, .3fr, .zdc, .pst, .wpl, .p7c, .sie, .y, .wmo, .asset, .xdb, .vpp_pc, .gho, .x, .xpm, .bc6, .p12, .rofl, .wbm, .wpt, .x3f, wallet, .dazip, .fpk, .docm, .jpeg, .bkp, .2bp, .jpg, .re4, .ztmp, .menu, .pdf, .odc, .ods, .apk, .wpg, .r3d, .sis, .pef, .sum, .odb, .wmv, .ncf, .js, .icxs, .upk, .docx, .vtf, .forge, .psk, .iwi, .arch00, .bay, .d3dbsp, .syncdb, .wb2, .pdd, .ibank, .accdb, .eps, .z, .css, .qdf, .wbd, .wpw, .wbmp, .wotreplay, .psd, .raf, .bkf, .xlsm, .ltx, .cfr, .snx, .m4a, .m3u, .xls, .3dm, .der, .wsh, .wp4, .itl, .map, .xx, .ai, .vfs0, .m2, .wn, .wpd, .dxg, .1st, .xbplate, .sav, .vpk, .pptm, .xbdoc, .desc, .zip, .raw, .ws, .pem, .xmmap, .sr2, .wmf, .vdf, .flv, .wbz, .hkx, .hplg, .t13, .wp6, .gdb, .p7b, .rw2, .wav, .fos, .kdb, .arw, .zip, .x3f, .wdb, .wp, .xxx, .litemod, .z3d, .mlx, .txt, .mpqge, .srf, .wmv, .jpe, .sidd, .kdc, .layout, .db0, .odt, .bar, .png, .mddata, .wpe, .pak, .mdb, .big, .xlsx, .wdp, .fsh, .wsc, .wp7, .wri, .xar, .w3x, .mrwref, .zw, .py, .xf, .nrw, .esm, .t12, .xmind, .ysp, .webdoc, .xll, .erf, .rwl, .xls, .wps, .sql, .yal, .wgz, .cr2, .ntl, .bik, .dng, .itdb, .xml, .wmd, .tor, .itm, .cas, .zif, .lrf, .wpa
Once a file is encrypted, its extension replaced to .rectot. Next, the ransomware drops a file called ‘_readme.txt’. This file contain an information on how to decrypt all encrypted photos, documents and music. An example of the ransom instructions is:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-uidgK0Fb8r Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | Rectot ransomware |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Encrypted files extension | .rectot |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch, @datarestore (telegram), bufalo@firemail.cc |
| Ransom amount | $490, $9800 in Bitcoins |
| Symptoms |
|
| Removal | To remove .Rectot ransomware use the removal guide |
| Decryption | To decrypt .Rectot ransomware use the steps |
Use the step-by-step guidance below to remove .Rectot ransomware and try to restore (decrypt) encrypted photos, documents and music for free.
Quick links
- How to remove .Rectot ransomware virus
- How to decrypt .rectot files
- Use STOPDecrypter to decrypt .rectot files
- How to restore .rectot files
- How to protect your personal computer from .Rectot ransomware virus?
- To sum up
How to remove .Rectot ransomware virus
In order to remove .Rectot ransomware virus from your computer, you need to stop all ransomware processes and delete its associated files including Windows registry entries. If any ransomware virus components are left on the machine, the ransomware can reinstall itself the next time the system boots up. Usually ransomware viruses uses random name consist of characters and numbers that makes a manual removal process very difficult. We advise you to run a free ransomware removal tools that will allow delete .Rectot ransomware virus from your PC system. Below you can found a few popular malware removers that detects various ransomware.
How to remove .Rectot ransomware with Zemana Anti-malware
Zemana AntiMalware (ZAM) can locate all kinds of malicious software, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the .Rectot ransomware, you can easily and quickly get rid of it.
- Visit the following page to download the latest version of Zemana Free for Windows. Save it to your Desktop.
Zemana AntiMalware
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- After the downloading process is finished, close all applications and windows on your computer. Open a folder in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, click Next button and follow the prompts.
- Once installation is finished, click the “Scan” button for scanning your PC system for the .Rectot ransomware virus related files, folders and registry keys. While the utility is scanning, you can see how many objects and files has already scanned.
- Once the system scan is complete, Zemana Anti-Malware (ZAM) will open a scan report. In order to delete all threats, simply click “Next”. Once finished, you can be prompted to reboot your computer.
Use MalwareBytes Anti Malware (MBAM) to remove .Rectot ransomware
Remove .Rectot ransomware virus manually is difficult and often the ransomware is not completely removed. Therefore, we suggest you to use the MalwareBytes Anti Malware that are completely clean your computer. Moreover, this free program will help you to remove malware, trojans, toolbars and adware that your system can be infected too.
Visit the following page to download MalwareBytes. Save it on your Microsoft Windows desktop.
326385 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When the download is done, close all programs and windows on your system. Double-click the setup file called mb3-setup. If the “User Account Control” dialog box pops up as on the image below, click the “Yes” button.
It will open the “Setup wizard” which will help you install MalwareBytes AntiMalware on your machine. Follow the prompts and do not make any changes to default settings.
Once installation is finished successfully, click Finish button. MalwareBytes AntiMalware will automatically start and you can see its main screen as displayed in the following example.
Now press the “Scan Now” button . MalwareBytes Free program will scan through the whole computer for the .Rectot ransomware related files, folders and registry keys. A system scan may take anywhere from 5 to 30 minutes, depending on your PC system. While the MalwareBytes Anti-Malware tool is checking, you may see number of objects it has identified as being infected by malware.
As the scanning ends, MalwareBytes AntiMalware will show a list of detected items. Review the scan results and then click “Quarantine Selected” button. The MalwareBytes Anti Malware (MBAM) will delete .Rectot ransomware, other malicious software, worms and trojans. When the procedure is finished, you may be prompted to restart the personal computer.
We advise you look at the following video, which completely explains the process of using the MalwareBytes Free to delete adware, hijacker and other malicious software.
Remove .Rectot ransomware virus with KVRT
If MalwareBytes anti-malware or Zemana anti malware cannot delete this ransomware, then we advises to use the KVRT. KVRT is a free removal utility for ransomware, trojans, potentially unwanted apps and worms.
Download Kaspersky virus removal tool (KVRT) from the following link.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is complete, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is finished, you’ll see the KVRT screen as displayed below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool program will scan through the whole computer for the .Rectot ransomware and other malware. A system scan can take anywhere from 5 to 30 minutes, depending on your PC.
When Kaspersky virus removal tool has finished scanning, Kaspersky virus removal tool will show a scan report like below.
Next, you need to click on Continue to start a cleaning procedure.
How to decrypt .rectot files
The .Rectot ransomware virus offers to make a payment in Bitcoins to get a key to decrypt photos, documents and music.
Should you pay the ransom? A majority of security specialists will reply immediately that you should never pay a ransom if affected by ransomware! If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all files!
Files encrypted by “.Rectot ransomware”
With some variants of the Rectot ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .rectot files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.rectot).
Please check the twitter post for more info.
How to restore .rectot files
In some cases, you can recover files encrypted by .Rectot ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Use shadow copies to restore .rectot files
In order to restore .rectot documents, photos and music encrypted by the .Rectot ransomware from Shadow Volume Copies you can use a tool called ShadowExplorer. We recommend to use this way as it is easier to find and recover the previous versions of the encrypted files you need in an easy-to-use interface.
ShadowExplorer can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
438668 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Double click ShadowExplorerPortable to start it. You will see the a window as displayed on the image below.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point as displayed in the figure below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to restore, right click to it and select Export as displayed on the screen below.
Recover .rectot files with PhotoRec
Before a file is encrypted, the .Rectot ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file restore software like PhotoRec.
Download PhotoRec by clicking on the following link. Save it to your Desktop so that you can access the file easily.
Once the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the following example.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will display a screen as shown below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted files as shown below.
Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is finished, press OK button.
Next, click Browse button to select where restored photos, documents and music should be written, then press Search.
Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents as displayed in the figure below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your personal computer from .Rectot ransomware virus?
Most antivirus software already have built-in protection system against the ransomware virus. Therefore, if your personal computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your machine from .Rectot ransomware virus
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Download HitmanPro.Alert by clicking on the link below. Save it to your Desktop.
When the download is done, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the tool is started, you will be displayed a window where you can choose a level of protection, as displayed on the screen below.
Now click the Install button to activate the protection.
To sum up
Now your computer should be clean of the .Rectot ransomware. Delete MalwareBytes Free and KVRT. We recommend that you keep Zemana Anti Malware (to periodically scan your computer for new malware). Make sure that you have all the Critical Updates recommended for Windows operating system. Without regular updates you WILL NOT be protected when new ransomware, malicious programs and adware are released.
If you are still having problems while trying to get rid of .Rectot ransomware from your machine, then ask for help here.
