REPP ransomware is the 203rd version of DJVU file-encrypting malware
Contents
REPP ransomware is the name of a new STOP/DJVU virus variant that deceptively infects and encrypts all data on computer system. The aim of this malicious program is to extort money from the victim. Once installed, the virus disables security software, deletes system restore points, then encrypts all files, marking them with .repp extensions. Finally, it creates and saves a message in _readme.txt note, which is known as the ransom note. The note instructs the victim to contact the attackers via provided emails and pay a ransom worth of $490 (if paid within 3 days) or $980 later. This ransomware family is also infamous of its capability to install password-stealing Trojans on the system.
REPP virus is a specific malware designed for Windows operating systems. It is capable of bypassing weak security programs and deleting essential system restore components. This way, the virus creates an environment which allows easy data corruption and prevents its restoration for the victim. The ransomware uses asymmetric encryption to lock access to the files (such as documents, databases, images, videos, music, etc.)
The ransom note left by the virus informs that the victim must contact them via helpmanager@firemail.cc or helpmanager@iran.ir to get more information regarding ransom payment. The victim can send one encrypted .repp extension file for the attackers to decrypt.
It is important to remove REPP ransomware virus as soon as possible using instructions provided below to eliminate the virus and the additional malware it installs on the system (AZORULT password-stealing Trojan).
Threat Summary
| Name | REPP ransomware virus |
| Type | File-encrypting virus |
| Origins | STOP/DJVU (203rd version) |
| Targeted systems | Windows |
| Behavior | Encrypts files, restricts access to them and demands paying a ransom (according to instructions in _Readme.txt file) |
| File extension | Marks files with .repp extension |
| Ransom note | _readme.txt |
| Ransom demand | $490-$980 |
| Emails | helpmanager@firemail.cc, helpmanager@iran.ir |
| Distribution | Awaits victims in illegal online downloads, such as KMSPico |
| Decryption tools | STOP Decryptor isn’t capable of decrypting this variant at the moment |
| Removal | Remove using antivirus while in Safe Mode (see instructions below) |
Unfortunately, victims need to realize that ONLY the ransomware creators can restore files, so once they’re encrypted, your access to files is gone. There is no way for security researchers to break the encryption and create a working .repp decryption tool, because there is no way to do that. The only 100% working way to restore all files is to use a recently created backup.
However, saying that data recovery is impossible in this case is not entirely true. Now, let us explain how this ransomware encrypts files and what are the probabilities to restore them.
The offline and online encryption cases
In order to check with encryption was used on your files, go to C:\SystemID\PersonalID.txt and look at the end of the inserted IDs here. If one of the keys ends in t1, it means offline encryption. NOTE. Don’t check this in _readme.txt file – it might not be accurate as several keys can be used.
Case 1: The online encryption (no chances to recover data)
REPP file virus attempts to connect to its Command & Control server before encrypting any file first. If this connection succeeds, the ransomware receives an ONLINE encryption key from the server and uses it to encrypt files on victim’s computer. In this case, the victim gets an online ID, which DOESN’T end in t1.
Case 2: The offline encryption (chance to recover data)
If the ransomware fails to connect to its Command & Control server, it uses an OFFLINE encryption key, which comes with the malicious virus itself. It is the same key for all victims of one DJVU ransomware version. This key ends in t1. For example, the offline encryption/decryption pair for REPP victims is the same; the pair for NPSG version is the same; the pair for BTOS ransomare version is the same and so on.
Therefore, once someone affected by the offline encryption pays the ransom and shares the received key with security experts, the STOP decryptor gets updated and all other victims of offline REPP ransomware attack can recover their files. More information about this decryption tool here.
Ransomware spreads in tools used to hack software licenses
Computer users frequently are not keen on paying for legal software licenses and tend to search for their cracks or keygens online. Ransomware developers know that and therefore the main DJVU ransomware distribution vector is illegal software activation tools (such as KMSPico).
Be careful as such downloads might leverage various code exploitation methods to execute the ransomware via another file or simply rename the malicious file into something deceitful such as PS_crack_2020.zip.
Malicious email spam isn’t known to be used by this ransomware, but you should be aware of this technique anyway. Failure to identify such emails can result in unexpected installation of various malware.
Best way to remove REPP ransomware virus
The best and easiest way to remove REPP ransomware virus is to start your computer in Safe Mode and run an up-to-date antivirus tool. It will identify the described DJVU variant and AZORULT Trojan and quarantine it. Then you’ll be able to remove it easily. You can choose from free and paid antivirus software options anytime.
REPP virus removal doesn’t protect your computer system from the cyberattack. Next, you’ll need to change all of your passwords, only then you’ll be finished securing your computer and privacy in full. Finally, you need to know that antivirus software is made for malware removal, not data recovery.
When it comes to file decryption, do noy trust suspicious third-parties who claim to be able to restore your files for a price higher than the ransom. Such scammer companies simply pay the criminals using your victim’s ID. The best way to restore files is to use backups, or, if you’re subject to offline encryption, wait for STOP Decryptor to be updated.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS
STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
REPP Ransomware Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove REPP Ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Matt Corey is passionate about the latest tech news, gadgets and everything IT. Matt loves to criticize Windows and help people solve problems related to this operating system. When he’s not tinkering around with new gadgets he orders, he enjoys skydiving, as it is his favorite way to clear his mind and relax.
Leave a Reply