Reha file extension
.Reha file extension is a file extension that is appended to the name of files affected by the latest version of STOP (djvu) ransomware. Ransomware is a malware that encrypts victims’ files and thus locks up the information contained in them. Ransomware developers demand a ransom in exchange for a decryptor and a key, which are necessary for decrypting the files. Fortunately, since Reha is one of the variants of STOP (djvu), in some cases you can use the free STOP (Reha) decryptor to decrypt files affected by it. More details about this decryptor, as well as other ways of recovering encrypted files, will be discussed in this article.
Screenshot of files encrypted by Reha virus (‘.reha’ file extension)
Reha virus
Reha virus is malware that is the 199th version of STOP (DJVU) ransomware. Like other versions of this ransomware, it is distributed through key generators, cracked software, adware and torrents web-sites. Upon execution, Reha creates a folder in the Windows system directory and copies itself there. Then the virus changes some Windows OS settings so that it starts automatically every time the PC is turned on or restarted.
Having collected information about the victim’s computer, Reha virus tries to establish a connection with its command-and-control server (C&C). If the connection has been established, the virus receives a key (so called ‘online key’) from the command server that will be used to encrypt files. In addition, Reha virus may receive additional commands and files that will be executed on the victim’s computer. If the virus could not connect to the command server, then it uses a fixed key, which the security researchers called ‘offline key’.
There is a significant difference between ‘online key’ and ‘offline key’. The online key is unique for each victim, that is, the key from one victim will not help decrypt the files of the other victim. The offline key is the same for all victims. Thus, it can be used to decrypt files regardless of where they were encrypted.
Having a key to encrypt files, Reha virus proceeds directly to the process of encrypting files. It encrypts file-by-file, so that all files of the victim will be encrypted. It doesn’t matter where the files are located, on the internal drive, flash drive, external media, cloud storage, all of them can be encrypted. There is a small exception, the virus does not encrypt files located in the Windows system directories, files with the extension from the list ‘.lnk, .bat, ini, .sys, .dll’ and files with the name ‘_readme.txt’. Thus, almost all of the victim’s data will be encrypted, including documents, pictures, databases, archives and other types of files, such as:
.cer, .vpp_pc, .rim, .pkpass, .wp, .der, .x, .odc, .t12, .xlsm, .kdb, .txt, .cr2, .wmv, .sie, .wpa, .erf, .itl, .tor, .rtf, .xlsb, .ntl, .wbc, .wpg, .1, .ai, .qic, .ods, .wsc, .pptx, .wpd, .rb, .blob, .flv, .wma, .wri, .iwd, .raw, .raf, .xy3, .xld, .ybk, .wmd, .vpk, .zi, .wcf, .zdb, .bc7, .wbk, .apk, .wm, .wdp, .jpg, .wb2, .py, .xll, .wbd, .icxs, .wp6, .zip, .indd, .wbmp, .wbz, .m3u, .slm, .ncf, .epk, .eps, .xlk, .dba, .xdb, .docx, .qdf, .dbf, .wpd, .srf, .sid, .p7b, .hplg, .xmind, .sav, .lvl, .bay, .vcf, .css, .upk, .wsd, .iwi, .3fr, .bkf, .wmf, .wp5, .docm, .t13, .pfx, .xml, .pdd, .ptx, .d3dbsp, .pak, .yal, .xbdoc, .wmo, .xlsx, .itdb, .xf, .fsh, .wsh, .wire, .mef, .lrf, .gdb, .png, .sum, .layout, .bik, .accdb, .esm, .svg, .mcmeta, .srw, .zif, .bc6, .wav, .desc, .dmp, .pem, .rw2, .db0, .mlx, .kf, .xx, .syncdb, .wdb, .arch00, .lbf, .ppt, .hkx, .mp4, .tax, .fpk, .rofl, .wpl, .kdc, .ibank, .y, .mrwref, .2bp, .ysp, .dwg, .das, .sb, .nrw, .wpe, .avi, .jpeg, .wmv, .vfs0, .dng, .odt, .ztmp, .crt, .xls, .xyp, .x3d, .zw, .rgss3a, .yml, .re4, .r3d, .pptm, .xwp, .x3f, .forge, .xlsx, .webp, .psd, .0, .mdf, .bar, .wbm, .wn, .3dm, .itm, .vdf, .sr2, .zabw, .dxg, .bsa, .hvpl, .1st, .wotreplay, .xdl, .rar, .orf, .xxx, .wma, .wpw, .snx, .pdf, .jpe, .dcr, .w3x, .asset, .wp4, .xpm, .big, .xlsm, .7z, .mdb, .3ds, .mov, .mpqge, .wps, .bkp, .sidn, .z3d, .fos, .m4a, wallet, .crw, .doc, .wp7, .litemod, .pef, .xmmap, .xyw, .cas, .wps, .cdr, .pst, .wpb, .sidd, .mddata, .odm, .psk, .dazip, .m2, .odp, .sql, .ff, .vtf, .gho, .x3f, .csv, .odb, .sis, .cfr, .zip, .xlgc, .js, .wpt, .webdoc, .wot
Each file that has been encrypted by Reha virus will be renamed. It will append the extension ‘.reha’ at the end of the name of the affected file. Thus, a file named ‘image.jpg’, after it is encrypted, will receive the name ‘image.jpg.reha’. To encrypt as many files as possible in the minimum time, the virus does not encrypt the entire file, but only its initial part in the amount of 154 kb. Reha virus encrypts files sequentially, when all files in the directory are encrypted, it places a new file in it. This file is called ‘_readme.txt’ and its contents are shown below.
Screenshot of the contents of ‘_readme.txt’ file (Reha ransom note)
This file is a ransom note that is a message from Reha creators. In this message, the criminals report that the victim’s files are encrypted and there is only one way to decrypt them – buy the key and the decryptor from them. Attackers set the price for the key and decryptor at $980. If the victim pays the ransom within 72 hours, then Reha authors agree to make a discount of half the ransom, that is, reduce the size of the ransom to $490. Criminals offer to decrypt one file for free. To do this, the victim needs to send this file to one of the email addresses listed in the ransom demand message. But successful decryption of one file does not guarantee the possibility of decryption of files even after payment of the ransom.
Threat Summary
| Name | Reha |
| Type | Ransomware, File locker, Filecoder, Crypto virus, Crypto malware |
| Encrypted files extension | .reha |
| Ransom note | _readme.txt |
| Contact | helpmanager@iran.ir, helpmanager@firemail.cc |
| Ransom amount | $490/$980 in Bitcoins |
| Detection Names | Trojan.GenericKD.42261545, Trojan.Ransom.Stop, Malware@#2lidi25tkau3l, Win.Packed.Glupteba-7548218-1, Heuristic.HEUR/AGEN.1019949, Trojan.Malware.300983.susgen, Ransom:Win32/STOP.BS!MTB, Ransom_Stop.R023C0WAJ20, BehavesLike.Win32.Generic.cc |
| Symptoms | Windows Explorer displays a blank icon for the file type. Your photos, documents and music have a wrong name, suffix or extension, or don’t look right when you open them. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. |
| Distribution ways | Phishing email scam that attempts to scare users into acting impulsively. Adware. Drive-by downloading (when a user unknowingly visits an infected web-page and then malicious software is installed without the user’s knowledge). Torrents web-sites. Social media, like web-based instant messaging programs. Cracked games. Malicious websites. |
| Removal | Reha virus removal guide |
| Decryption | Free Reha Decryptor |
In the ransom note, the authors of Reha virus report that it is impossible to decrypt files without a key and a decryptor. In general, this is true; to decrypt .reha files, you must use the key and the decryptor. This is confirmed by the security researchers.
As we reported at the very beginning of this article, there is a free decryptor, which in some cases can decrypt .reha files. In the case when it could not decrypt the files, there are several more methods, each of which can help the victim restore the files encrypted by Reha virus. These methods do not require the use of a key and decryptor, and therefore are suitable for all victims.
How to remove Reha virus, Recover, Decrypt .reha files
If you are a victim of ransomware, your files have been encrypted, then we recommend that you follow the simple steps described above. These steps will help you remove Reha virus, and decrypt .reha files that were affected by it. Moreover, we will also show you how to recover encrypted files if the decryption of the files was unsuccessful. Read the entire manual carefully. To make it easier for you to follow the instructions, we recommend that you print it or open it on your smartphone.
How to remove Reha ransomware virus
The first thing you need to do before decrypting .reha files is to make sure that Reha virus is no longer active, as well as find all its components and remove them. An active ransomware is very dangerous because it can encrypt all files that were recovered during decryption. Therefore, you need to check your computer for ransomware and other malware. To do this, we recommend using free malware removal tools that will find Reha virus and remove it for free.
Remove Reha ransomware with Zemana
Zemana is a program which is used for adware, spyware, crypto malware, worms, trojans and other security threats removal. The program is one of the most efficient anti malware utilities. It helps in ransomware removal and and defends all other types of malicious software. One of the biggest advantages of using Zemana AntiMalware (ZAM) is that is easy to use and is free. Also, it constantly keeps updating its virus/malware signatures DB. Let’s see how to install and check your computer with Zemana Anti-Malware in order to remove Reha ransomware virus from your system.
First, please go to the link below, then press the ‘Download’ button in order to download the latest version of Zemana Anti Malware.
164031 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After the download is done, close all windows on your computer. Further, run the install file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up like below, click the “Yes” button.
It will display the “Setup wizard” which will allow you install Zemana Anti Malware (ZAM) on the PC. Follow the prompts and do not make any changes to default settings.
Once installation is finished successfully, Zemana will automatically start and you can see its main window as shown in the following example.
Next, press the “Scan” button to look for Reha crypto malware, other kinds of potential threats such as malware and trojans. A system scan can take anywhere from 5 to 30 minutes, depending on your personal computer. When a threat is detected, the number of the security threats will change accordingly. Wait until the the checking is complete.
When Zemana has finished scanning, you’ll be shown the list of all found items on your computer. Make sure all items have ‘checkmark’ and click “Next” button.
The Zemana Free will delete Reha ransomware, other kinds of potential threats like malicious software and trojans and move threats to the program’s quarantine. Once disinfection is complete, you can be prompted to restart your PC.
Use MalwareBytes Free to remove Reha virus
We advise using the MalwareBytes Anti Malware which are completely clean your computer of crypto malware. This free utility is an advanced malicious software removal application made by (c) Malwarebytes lab. This program uses the world’s most popular antimalware technology. It’s able to help you uninstall ransomware viruses, PUPs, adware software, toolbars, and other malware from your computer for free.
- First, click the following link, then click the ‘Download’ button in order to download the latest version of MalwareBytes Free.
Malwarebytes Anti-malware
326383 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your internet browser will display the “Save as” prompt. Please save it onto your Windows desktop.
- After downloading is complete, please close all apps and open windows on your system. Double-click on the icon that’s called mb3-setup.
- This will run the “Setup wizard” of MalwareBytes onto your machine. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes AntiMalware (MBAM) will launch and show the main window.
- Further, click the “Scan Now” button . MalwareBytes program will scan through the whole computer for the Reha crypto virus and other security threats. This task can take quite a while, so please be patient.
- Once MalwareBytes AntiMalware (MBAM) completes the scan, MalwareBytes Free will produce a list of unwanted applications and ransomware.
- All detected items will be marked. You can delete them all by simply click the “Quarantine Selected” button. When the process is done, you may be prompted to reboot the personal computer.
- Close the AntiMalware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Use Kaspersky virus removal tool to remove Reha ransomware
If MalwareBytes anti malware or Zemana anti-malware cannot remove this crypto virus, then we suggests to run Kaspersky virus removal tool (KVRT). Kaspersky virus removal tool is a free removal utility for ransomware, spyware, adware, trojans and other security threats.
Download Kaspersky virus removal tool (KVRT) on your machine by clicking on the following link.
129055 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the downloading process is done, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is done, you will see the Kaspersky virus removal tool screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to begin checking your PC system for the Reha ransomware virus . Depending on your machine, the scan can take anywhere from a few minutes to close to an hour. When a threat is found, the number of the security threats will change accordingly. Wait until the the checking is finished.
As the scanning ends, Kaspersky virus removal tool will create a list of unwanted software and ransomware as shown on the image below.
Once you’ve selected what you wish to delete from your PC click on Continue to begin a cleaning procedure.
How to decrypt .reha files
To decrypt .reha files, you need to use a unique key and decryptor. Security researchers confirm that it is impossible to access the contents of encrypted files without decryption. Renaming the affected files, changing their extension cannot help the victim, the files will still remain encrypted. Fortunately, Emsisoft created a free decryptor, which in some cases can decrypt .reha files.
STOP Djvu decryptor
To decrypt .reha files, use free STOP (Reha) decryptor
- Download STOP (Reha) decryptor from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
As we have said several times, this decryptor can decrypt files only in some cases, when the files were encrypted with an ‘offline key’. If the files were encrypted with an ‘online key’, then they cannot be decrypted. The reason for this is that the decryption key is in the hands of criminals and this key can not be determined. But even in this case, there is a chance to restore the contents of encrypted files, we will talk about how to do this a little later.
How to find out which key was used to encrypt files
Since STOP (Reha) decryptor only decrypts files encrypted with the offline key, each Reha’s victim needs to find out which key was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them.
Personal ID is highlighted here
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters that starts with ‘0199’ – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the virus used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Reha virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
What to do if STOP (Reha) decryptor says “Error: Unable to decrypt file with ID”
If during decryption of .reha files the decryptor reports ‘Error: Unable to decrypt file with ID’, skips files without decrypting them, then two cases are possible why this happens:
- files are encrypted with an ‘online key’, in this case, you need to use alternative methods to restore the contents of encrypted files;
- files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data;
How to restore .reha files
If the STOP (Reha) decryptor did not help you, or your files are encrypted using an online key, then there is no need to panic! There are several other alternative methods that may allow you to restore the contents of encrypted files. Once again, remember to be sure to check your computer for ransomware and malware using free malware removal tools. You must be sure that Reha virus is completely removed.
Each of the methods presented below uses a different mechanism for recovering encrypted files. So try each one. It often happens that if the first method did not help, then the second helped.
Use ShadowExplorer to restore .reha files
First of all, try to recover .reha files from Shadow Volume Copies, which are automatically created by Windows OS. In order to recover photos, documents and music encrypted by Reha virus from Shadow Volume Copies you can use a tool called ShadowExplorer. We recommend using this free utility because it is small in size, has a simple interface and does not require installation on a computer. Unfortunately, ransomware often removes all Shadow copies. Therefore, if Shadow Explorer cannot help you, then immediately proceed to the second method, which is given below.
Download ShadowExplorer by clicking on the link below. Save it to your Desktop.
438664 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once downloading is done, extract the downloaded file to a folder on your personal computer. This will create the necessary files like below.
Launch the ShadowExplorerPortable application. Now choose the date (2) that you want to recover from and the drive (1) you wish to recover files (folders) from as displayed in the following example.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and click the Export button as shown on the image below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Run PhotoRec to recover .reha files
Another alternative way to recover .reha files is to use data recovery software. This method requires a lot of time, but in most cases it allows you to recover part, and sometimes all, encrypted files. To restore .reha files, use a free tool called Photo Rec. It has a simple interface and does not require installation.
Download PhotoRec on your machine from the following link.
Once the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll display a screen such as the one below.
Select a drive to recover as shown on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted files as displayed on the screen below.
Press File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is finished, press OK button.
Next, click Browse button to select where restored files should be written, then press Search.
Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents like below.
All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your PC system from Reha crypto malware?
Most antivirus software already have built-in protection system against the ransomware. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic utility to protect your PC from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows operating system from MS Windows XP to Windows 10.
Visit the following page to download HitmanPro Alert. Save it directly to your Microsoft Windows Desktop.
After the downloading process is done, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the utility is started, you will be displayed a window where you can select a level of protection, similar to the one below.
Now click the Install button to activate the protection.
Finish words
This guide was created to help all victims of Reha ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .reha files; how to recover files, if STOP (Reha) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Reha related issues, go to here.
hi your post was really helpful, i was able to remove the malwares, but now my files are encrypted with ending reha, and as you said personal ID it does not end with t1, so it must be an online key, what should i do.. plz help, i have lost all my personal photos collected from 10 years to this thing, help me and i am willing to make a good donation to your work.
thanking you
yours sincerely dr vinay krishna LN
If your files are encrypted with an online key, then decrypting them is not yet possible. The reason is simple, only criminals have the decryption key. First of all, I recommend that you try alternative methods for recovering encrypted files described in the article, the link to which I provide below. In addition, even if these methods do not help you, then copy the important encrypted files to a backup drive, copy the _readme.txt and PersonalID.txt files in the same place, after which you need to wait until security researchers find a way to decrypt the files. It may happen in a month, a year, …
How to recover ransomware encrypted files.