Home Malware Programs Ransomware RackCrypt Ransomware

RackCrypt Ransomware

Posted: January 25, 2016

Threat Metric

Threat Level: 8/10
Infected PCs: 21
First Seen: January 25, 2016
Last Seen: July 10, 2022
OS(es) Affected: Windows

The RackCrypt Ransomware is a Trojan that encrypts your files and then asks for money in return for restoring them. Since paying the RackCrypt Ransomware's ransom can't guarantee the provision of a real decryption service, malware experts always encourage keeping secure backups that can avoid the payloads of threats like the RackCrypt Ransomware. Most PC users should remove the RackCrypt Ransomware with anti-malware products able to detect its frequently mislabeled components, which may disguise themselves as being other applications.

The Program Putting Your Finances on the Rack

The RackCrypt Ransomware is a Windows-based Trojan that gains access to your PC by misrepresenting itself as being another program and scans all hard drives for specific files. Some formats included in the RackCrypt Ransomware attacks include PowerPoint data, various text documents, ZIP archives, audio libraries, and even some movie files. The dozens of file types affected by the RackCrypt Ransomware undergo an encryption process with the intent of making the files unopenable.

The files also are renamed with an additional '.rack' extension. Note that, as usual, this extension is a cosmetic change for user identification purposes. Renaming the files and removing the new extension does not reverse the encryption process.

Once the RackCrypt Ransomware finishes its primary payload, it loads a custom ransom message in the format of a Windows alert, including a built-in file viewer and additional messages related to the transaction process for 'buying' a file decryptor. Like other file encryptors encountered by malware analysts, the RackCrypt Ransomware prefers payments in the form of Bitcoin and warns the victim of a time limit. Current ransoms from the RackCrypt Ransomware price themselves at an equivalent of 300 USD, with no certainty of getting anything in return.

Rescuing Your Files from Torture by a Threat

Whereas most file encryptors content themselves with simple text messages or JPG-based ransoms, the RackCrypt Ransomware includes a well thought-out pop-up that tries to make paying its ransom as 'user-friendly' as possible. Despite that ease of use, paying the RackCrypt Ransomware's authors for your files holds the same unreliability as all other cash transactions with con artists. Malware analysts recommend keeping preventative backups, such as cloud storage, whenever possible, for protecting valuable data from the RackCrypt Ransomware and any other file encryptors. In some cases, PC security companies also may provide free decryption tools, particularly for widely-distributed Trojans of this category.

The RackCrypt Ransomware does include some defensive measures against being uninstalled, and often uses intentionally-misnamed files, such as 'Firefox.exe' or 'smss.'exe (a native Windows file). Whenever removing the RackCrypt Ransomware, you should take any other steps needed to disable it and other threats, such as restarting Windows into Safe Mode, or booting the machine from a separate USB drive. Allow your anti-malware tools to scan your entire PC and remove the RackCrypt Ransomware in full, including all Registry entries related to giving it admin access.

However, anti-malware programs and decryptors are separate utilities and deleting the RackCrypt Ransomware can't restore files that have been impacted by its encryption payload automatically. Preemptive prevention and good backups still are critical to defeating the RackCrypt Ransomware and many Trojans like it.

Loading...