RETIS ransomware/malware

A security researcher has discovered a ransomware called Retis, which is a ransomware-type virus that secretly infiltrates the system. Shortly after executed, RETIS encrypts most saved data and adds filenames with the “.crypted” extension.

It is a .NET ransomware, so its source code can be easily viewed.

When the malware executed it will first target the victim’s Desktop, Documents, and Pictures folder for encryption. After that, it will target the rest of the drives on the computer.RETIS encrypts most stored data and appends filenames with the ".crypted" extension (for instance, "sample.jpg" is renamed to "sample.jpg.crypted").

 Lastly, it will turn the Windows wallpaper as %APPDATA%\RANSOM.png, which is an installed resource in the executable. The executable also contains a second image resource of a mountain range, but it is not used.

The file extensions targeted by this ransomware are:

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .jpg, .jpeg, .png, .one, .pdf

The name of the ransomware is obtained from the string of text located in the windows console, it shows the string “Hack Lab by Retis”.

The new wallpaper contains a ransom-demand message in French. Therefore, it is safe to assume that developers are either from France or target users who live in this country. The message states that files are encrypted and gives users 24 hours to pay a ransom.

Retis ransomware shares several likenesses with dozens of other ransomware viruses such as Cyclone, Zlocker, and Skeleton.

Most ransomware is increased using spam emails, third-party software download sources, fake software updates, and trojans. Users are recommended to be careful, don’t open files (malicious attachments) received from suspicious email addresses – remove these emails without reading.

Retis Ransom Note:

Votre bureau, vos photos, vos données et autres dossiers importants ont été chiffrés
avec un algorithme fort et une clé unique générés pour cet ordinateur.
La clé secrète pour déchiffrer vos données est gardée sur un serveur d'Internet,
et personne ne peut déchiffrer vos filchiers jusqu'à ce que vous payez pour l'obtenir.
Vous disposez d'un délai de 24 heures pour nous transmettre le paiement.
PASSÉ CE DÉLAI VOTRE CLÉ SERA SUPPRIMÉE OE NOS SERVEURS ET IL NE SERA PLUS POSSIBLE
POUR VOUS OE RÉCUPÉRER VOS DONNÉES
HackLab by Retis

The ransom typically fluctuates between $500 and $1500 in Bitcoins (or another cryptocurrency), however, even if RETIS did provide payment instructions, you should never pay. Research shows that developers often ignore victims once payments are submitted. Paying will deliver no positive result and you will be scammed. As well as losing your money, you will support cyber criminals' malicious businesses. These rogue developers should never be trusted.

Unfortunately, there are no tools capable of restoring files compromised by RETIS. The only solution is to restore files/system from a backup.

How did ransomware infect my computer?

Most ransomware is proliferated using spam emails (malicious attachments), third party software download sources (peer-to-peer [P2P] networks, free file hosting websites, freeware download websites, etc.), deceptive software updates, and trojans. Infectious attachments typically come in the format of JavaScript files or MS Office documents with macros. Once opened, these attachments download and install malware. Unofficial download sources proliferate malware by presenting it as legitimate software - users are tricked into downloading and installing it. Fake update tools infect the system by exploiting outdated software bugs/flaws. Trojans are the simplest of all - they merely open "backdoors" for malware to infiltrate the system. Ultimately, the main reasons for computer infections are poor knowledge and careless behavior.

How to protect yourself from Retis Ransomware or any other Ransomware:

• Backup, Backup, Backup!
• Do not open attachments if you do not know who sent them.
• Do not open attachments until you confirm that the person actually sent you them,
• Scan attachments with tools like VirusTotal.
• Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
• Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if you’re willing to stick with it, could have the biggest payoffs.
• Use hard passwords and never reuse the same password at multiple sites.

How to remove it:
https://www.pcrisk.com/removal-guides/12037-retis-ransomware

Just follow this link and it will provide the corresponding methods to the remove the ransomware.