.Rezm file extension. Remove Rezm virus. Restore, Decrypt .rezm files.

Rezm file extension

.Rezm file extension is an extension that is used by the latest variant of STOP ransomware. ‘Rezm’ variant is very similar in its characteristics to other variants of this ransomware. It also encrypts files, and then renames them, giving them a new filename consisting of their old and ‘.rezm’ appended at the end. Criminals demand a ransom for a key-decryptor pair, which is necessary to unlock encrypted data. Fortunately, there is a free decryptor. It allows everyone to decrypt files that have been affected with any version of STOP (Djvu) ransomware, including ‘Rezm’ variant. Scroll down to find out more about the decryptor, where to download it and how to use it to decrypt .rezm files.

What is Rezm ransomware virus

Rezm virus is the 211th version of STOP (Djvu) ransomware. The behavior of this variant and the methods of its distribution are similar to other variants of STOP (Djvu). As before, for the spread of this ransomware, criminals use adware, crack, activators and torrents web-sites. Upon execution, Rezm virus encrypts all files on the victim’s computer. This means that files on all drives connected to the computer will be encrypted. Files located on external devices, such as files on a flash drive and cloud storage, can also be encrypted.

Each file is encrypted using a strong encryption algorithm and a long key. The key that the virus uses can be of two types: online key and offline key. The security researchers found that if Rezm virus could establish a connection to its command-and-control (C&C) server before encrypting the files, then the key obtained from it is used, this key is called ‘online key’. Such a key is unique for each infection, which means that the key for decrypting files from one victim is not suitable for decrypting files from another victim. If Rezm could not establish a connection with the C&C server, then it uses an encryption key, which is the same for all cases of infection. This type of key is called ‘offline key’.

The authors of Rezm virus created it so that it encrypts as many files as possible. Therefore, the virus does not encrypt the entire file, but only its initial part, in the amount of 154kb. Thanks to this, the contents of some types of files (for example, zip archives) can be restored by simply returning the old filename to them, that is, removing the extension ‘.rezm’. In the process of encryption, the virus skips files, that is, leaves them in their original state if:

• files are located in the Windows system directories
• files have the extension .bat, .sys, .dll, .lnk, .ini
• files are named ‘_readme.txt’

All other files will be encrypted. That is, the contents of the following common file types can be encrypted:

.cer, .xll, .wpw, .erf, .xlsm, .wsh, .orf, .xar, .kdc, .sid, .z3d, .slm, .asset, .hvpl, .fos, .mrwref, .odt, .tax, .indd, .dcr, .itm, .wav, .tor, .lrf, .rofl, .xx, .sql, .wpt, .zdb, .wb2, .snx, .p7c, .dwg, .py, .txt, .pst, .x3f, .ppt, .bc6, .desc, .upk, .crw, .wp5, .xls, .wdp, .dmp, .kdb, .rtf, .odp, .xbplate, .pem, .xxx, .xdb, .wbk, .ntl, .mdf, .jpg, .rw2, .epk, .cr2, .mddata, .webdoc, .cfr, .svg, .pef, .vcf, .ibank, .wps, .wsd, .sidn, .mpqge, .zabw, .sie, .zdc, .3dm, .lbf, .dng, .xlk, .litemod, .odm, .mlx, .gdb, .1st, .wpg, .wpb, .1, .docm, .iwi, .bsa, .y, .ws, .pkpass, .xlsb, .fsh, .ysp, .zw, .qic, .pdf, .psd, .xwp, .iwd, .db0, .jpeg, .lvl, .wmv, .nrw, .forge, .2bp, .flv, .menu, .ltx, .sum, .wri, .dazip, .ff, .map, .yml, .ptx, .d3dbsp, .ztmp, .accdb, .das, .xlsm, .wpd, .r3d, .vpp_pc, .rim, .m3u, .blob, .pptx, .zip, .sb, .wpd, .x, .sr2, .wp6, .dba, .pdd, .wpe, .m2, .wgz, .hplg, .wmd, .srf, .webp, .wsc, .wma, .xld, .xlsx, wallet, .wmo, .csv, .dbf, .wmv, .hkx, .rar, .dxg, .rgss3a, .bar, .wma, .xml, .wps, .pak, .kf, .doc, .wbc, .wbmp, .icxs, .xlsx, .zif, .xls, .qdf, .mdb, .7z, .wbm, .der, .wp7, .odc, .fpk, .re4, .raw, .png, .gho, .sidd, .sav, .t12, .w3x, .mov, .t13, .vdf, .esm, .mef, .bay, .pfx, .cdr, .x3d, .big, .xdl, .psk, .mp4, .p7b, .x3f, .wm, .layout, .wpl, .css, .vpk, .arw, .sis, .js, .bik, .wot, .mdbackup, .odb, .zi, .ybk, .pptm, .raf, .p12, .xlgc, .xf, .ncf, .wp4, .m4a, .wp, .wotreplay, .wbz, .3fr, .hkdb

After Rezm virus encrypts the file, it renames this file. Thus, each encrypted file gets a new filename. For example, the file ‘image.jpg’, after it is encrypted, will be renamed to ‘image.jpg.rezm’. In all directories where there is at least one encrypted file, the virus drops a file with the name ‘_readme.txt’. A sample of the contents of this file is shown in the figure below.

Criminals use this file to demand ransom from victims of Rezm virus. The message said that the victim’s files were encrypted with a strong algorithm and a key. The authors of the virus demand a ransom in exchange for a key and a decryptor. The ransom is $490 and must be paid within 72 hours. If the victim does not pay it during this time, the ransom increases to $980. Attackers offer to decrypt one file for free, but this file should be small in size and not contain any important information. Of course, decryption of one file cannot guarantee that after paying the ransom the victim will be able to recover files affected with the virus.

Threat Summary

Name	Rezm
Type	File locker, Filecoder, Ransomware, Crypto virus, Crypto malware
Encrypted files extension	.rezm
Ransom note	_readme.txt
Contact	helpdatarestore@firemail.cc, helpmanager@mail.ch
Ransom amount	$980,$490 in Bitcoins
Detection Names	Trojan.Stop.Win32.96, Trojan-Ransom.Win32.Stop.ko, Ransom_Stop.R011C0DBL20, Win32.Trojan.Stop.Wtnv, Ransom/W32.Stop.778752, Win32/Trojan.Ransom.ae8, Trojan.Kryptik!1.C2DD (CLOUD), Trojan.Win32.Stop.hbipfo, Backdoor:Win32/Tofsee.BS!MTB, RDN/Ransom, Ransom.Stop
Symptoms	Cannot open files stored on the computer. Windows Explorer displays a blank icon for the file type. Files named such as ‘_readme.txt’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file. New files on your desktop, with name variants of: ‘HOW_TO_DECRYPT.txt’, ‘DECRYPT.txt’ or ‘README.txt’.
Distribution methods	Unsolicited emails that are used to deliver malicious software. Drive-by downloads from a compromised webpage. Social media, like web-based instant messaging programs. USB key and other removable media. Cracked games. Torrents web-sites.
Removal	Rezm virus removal guide
Decryption	Rezm file decrypt

 

Security researchers confirm that Rezm virus does indeed encrypt files, and also that a decryptor and a key are required to decrypt them. Fortunately for all victims of this virus, as well as other variants of STOP (Djvu) ransomware, EmsiSoft developed a free decryptor. Thus, it is possible to decrypt .rezm files. This decryptor has only one limitation, so far it can decrypt files that were encrypted with an offline key. If the victim’s files were encrypted with an online key, then they cannot be decrypted. But even in this case, not everything is lost. Each Rezm victim has a chance to restore some or all of the encrypted files to their original state using alternative methods, which are described below.

How to remove Rezm ransomware virus & Recover, Decrypt .rezm files

If your files were encrypted with .rezm extension, then we recommend using the following steps. These steps will help you remove the ransomware and decrypt (restore) the encrypted files. Read the entire manual carefully. To make it easier for you to follow the instructions, we recommend that you print it or open it on your smartphone.

1. Remove Rezm ransomware virus
2. Decrypt .rezm files
3. Restore .rezm files
4. Protect your personal computer from Rezm ransomware virus

How to remove Rezm ransomware virus

If the computer was attacked by the ransomware virus, the first thing you need to do is not to try to decrypt the files right away! First of all, you need to check your computer for malware, find and remove Rezm virus. For this, we recommend using free malware removal tools. It is better to use not one tool, but two or more. Below we provide the best malware removal utilities and brief instructions on their use.

Use Zemana Anti Malware (ZAM) to remove Rezm

Zemana is a free program that can be used for ransomware, adware, spyware, trojans, malicious software, worms and other security threats removal. The program is one of the most efficient anti malware tools. It helps in crypto virus removal and and defends all other types of malware. One of the biggest advantages of using Zemana Anti-Malware (ZAM) is that is easy to use and is free. Also, it constantly keeps updating its virus/malware signatures DB. Let’s see how to install and scan your personal computer with Zemana in order to delete Rezm from your PC.

Installing the Zemana AntiMalware (ZAM) is simple. First you’ll need to download Zemana Anti-Malware (ZAM) on your PC system by clicking on the following link.

After downloading is complete, close all applications and windows on your machine. Double-click the install file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown on the image below, click the “Yes” button.

It will open the “Setup wizard” that will help you install Zemana Anti-Malware on your computer. Follow the prompts and don’t make any changes to default settings.

Once setup is complete successfully, Zemana Free will automatically start and you can see its main screen as shown on the screen below.

Now click the “Scan” button to start scanning your computer for the Rezm crypto virus and other security threats. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour. While the utility is checking, you can see number of objects and files has already scanned.

After the scan is finished, you can check all threats detected on your system. Make sure all threats have ‘checkmark’ and press “Next” button. The Zemana AntiMalware (ZAM) will remove Rezm crypto malware related folders,files and registry keys and add threats to the Quarantine. Once that process is done, you may be prompted to restart the system.

Remove Rezm virus with MalwareBytes Anti Malware

We suggest using the MalwareBytes AntiMalware (MBAM). You may download and install MalwareBytes AntiMalware to locate and remove Rezm virus from your machine. When installed and updated, this free malware remover automatically finds and removes all threats exist on the machine.

Download MalwareBytes Anti Malware (MBAM) by clicking on the following link.

When downloading is done, close all software and windows on your PC system. Double-click the install file named mb3-setup. If the “User Account Control” prompt pops up as on the image below, click the “Yes” button.

It will open the “Setup wizard” that will help you install MalwareBytes Anti Malware on your PC. Follow the prompts and do not make any changes to default settings.

Once installation is done successfully, click Finish button. MalwareBytes Anti-Malware will automatically start and you can see its main screen as displayed in the figure below.

Now click the “Scan Now” button to perform a system scan for the Rezm crypto malware, other malicious software, worms and trojans. This process can take quite a while, so please be patient. During the scan MalwareBytes Free will detect threats present on your PC.

As the scanning ends, the results are displayed in the scan report. Make sure to check mark the items which are unsafe and then press “Quarantine Selected” button. The MalwareBytes will begin to uninstall Rezm ransomware, other malicious software, worms and trojans. After the task is done, you may be prompted to restart the system.

We advise you look at the following video, which completely explains the process of using the MalwareBytes Anti-Malware (MBAM) to delete adware, browser hijacker infection and other malicious software.

Run KVRT to remove Rezm ransomware virus from the computer

Kaspersky virus removal tool (KVRT) is a free removal utility that can be downloaded and run to remove crypto malware, adware software, spyware, trojans, worms, potentially unwanted programs, malicious software and other security threats from your personal computer. You can use this utility to search for threats even if you have an antivirus or any other security application.

Download Kaspersky virus removal tool (KVRT) from the link below.

Once the download is finished, double-click on the KVRT icon. Once initialization process is done, you’ll see the KVRT screen as displayed on the image below.

Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to look for Rezm ransomware virus and other malware. This task may take quite a while, so please be patient. While the KVRT is scanning, you can see number of objects it has identified either as being malware.

Once finished, Kaspersky virus removal tool will open a screen that contains a list of malicious software that has been detected as displayed below.

When you’re ready, click on Continue to begin a cleaning process.

How to decrypt .rezm files

Files with the extension ‘.rezm’ are encrypted files. In other words, the contents of these files are locked. Their contents cannot be read even if you rename files or change their extension. As we reported above, there is a free decryptor, which was created by Emsisoft. This decryptor allows everyone to decrypt .rezm files.

To decrypt .rezm files, use free STOP (Rezm) decryptor

• Download STOP (Djvu) decryptor from the following link.
  STOP Djvu decryptor
• Scroll down to ‘New Djvu ransomware’ section.
• Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
• Run decrypt_STOPDjvu.exe, read the license terms and instructions.
• On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
• Click the ‘Decrypt’ button.

Unfortunately, at the moment, the free STOP (Rezm) decryptor is able to decrypt only files encrypted with an offline key, as Emsisoft found a way to find this key. Files encrypted with an online key cannot yet be decrypted. The online key is unique to each infected computer, and at the moment there is no way to find this key. Of course, the authors of Rezm virus own this key, but we do not think that paying a ransom is the right way to decrypt .rezm files. In the case when the files are encrypted with an online key, there is a chance to restore the encrypted files using alternative methods, which are described below.

How to find out which key was used to encrypt files

Since STOP (Rezm) decryptor only decrypts files encrypted with the offline key, each Rezm’s victim needs to find out which key was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them.

Find out the type of key using ‘_readme.txt’ file

• Open the ransom demand message (‘_readme.txt’ file).
• Scroll down to the end of the file.
• There you will see a line with the text ‘Your personal ID’.
• Below is a line of characters that starts with ‘0211’ – this is your personal id.

Find out the type of key using ‘PersonalID.txt’ file

• Open disk C.
• Open directory ‘SystemID’.
• Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the virus used to encrypt files.

The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Rezm ransomware virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.

How to restore .rezm files

If all your files are encrypted with an online key, or STOP (Rezm) decryptor cannot decrypt the encrypted files, then you only have one thing left, use alternative methods to restore the contents of the encrypted files. There are several alternative methods that may allow you to restore the contents of encrypted files. However, if you have not tried the free decryptor, then try it first by following step 2 of this instruction, and then return here.

Alternative methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.

Recover .rezm encrypted files using Shadow Explorer

A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover your documents, photos, and music encrypted by Rezm ransomware from Shadow Copies for free. Unfortunately, this method does not always work due to the fact that the ransomware almost always deletes all Shadow copies.

Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer from the link below. Save it on your Windows desktop.

Once downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.

Double click ShadowExplorerPortable to launch it. You will see the a window as shown on the image below.

In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).

On right panel look for a file that you wish to restore, right click to it and select Export as displayed on the screen below.

Use PhotoRec to restore .rezm files

There is another, unfortunately the last, way to recover the contents of encrypted files. This method is based on using data recovery tools. We recommend using a tool called PhotoRec. It has all the necessary functions and is completely free.

Download PhotoRec on your personal computer from the link below.

When the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the following example.

Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll open a screen as displayed in the following example.

Select a drive to recover as displayed on the image below.

You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as shown in the following example.

Press File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is done, press OK button.

Next, click Browse button to select where recovered personal files should be written, then click Search.

Count of restored files is updated in real time. All restored personal files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.

When the restore is done, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents like below.

All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.

Protect your personal computer from Rezm ransomware virus

Most antivirus programs already have built-in protection system against the crypto malware. Therefore, if your system does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows operating system from Microsoft Windows XP to Windows 10.

Click the link below to download HitmanPro.Alert. Save it on your Desktop.

After downloading is finished, open the file location. You will see an icon like below.

Double click the HitmanPro.Alert desktop icon. When the utility is started, you’ll be displayed a window where you can select a level of protection, like below.

Now press the Install button to activate the protection.

Finish words

This guide was created to help all victims of Rezm ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .rezm files; how to recover files, if STOP (Rezm) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.

If you have questions, then write to us, leaving a comment below. If you need more help with Rezm related issues, go to here.