Home Malware Programs Ransomware Rector Ransomware

Rector Ransomware

Posted: July 2, 2015

Threat Metric

Threat Level: 8/10
Infected PCs: 73
First Seen: July 2, 2015
Last Seen: May 22, 2023
OS(es) Affected: Windows

The Rector Ransomware (also IDed as Trojan-Ransom.Win32.Rector or Ransom:Win32/Rector.A) is a file encryption Trojan that deprives you of access to your files in exchange for demanding a ransom. The Rector Ransomware's attacks may be accompanied by automatic network contact with remote servers, as well as changes in file names. As with any ransomware campaign, malware experts suggest that you ignore the Rector Ransomware's ransom demand and use proper anti-malware products to delete the Rector Ransomware and restore your computer.

The Files Renamed into Ransoms

Many file encryption campaigns incorporate sophisticated techniques for demanding ransoms from their victims, ranging from changing their desktop images to generating new text files. However, malware researchers also have seen recent fads in file encrypting strategies that don't require anything more onerous than changing the names of the attacked files. The Rector Ransomware is an example of one such Trojan that recently has been seen using this technique as a means of delivering its ransom demands seamlessly alongside its file encrypting attacks.

The Rector Ransomware is a Windows-based threat and may make automatic modifications to utilities like the Windows Firewall to allow its features to function as intended. Post installation, the Rector Ransomware scans for files of common types and appends the .CBF type suffix, although the Rector Ransomware doesn't convert the files to true CBF (or Calendar Builder) files. However, PC owners are more likely to notice the addition of e-mail addresses and ID code strings to the file names. These changes are implicitly meant to provide the victims with a means of communication with the would-be file ransomer.

Along with these aesthetic changes, the Rector Ransomware also encrypts the affected files, a process that makes them unable to be opened or read until reversed. As of this article's writing, there is at least one freely downloadable Rector Ransomware decryptor (RectorDecryptor). However, this tool has failed at reversing the decryption attacks of the latest versions of the Rector Ransomware.

PC users choosing to initiate contact with the Rector Ransomware's administrator through the e-mail address (which has varied at least twice in recent the Rector Ransomware attacks) are demanded to pay a cash ransom. Average ransoms may range as high as 1000 USD, with no guarantee of its perpetrators following through on their promises of providing decryption.

Stopping Your Files from Being a Ransom Message

Although many of the most recently dated Rector Ransomware attacks affect Russian systems, the Rector Ransomware isn't a region specific threat, and can encrypt files without any respect for their contents or language type. Besides the highly visible elements of its file renaming attacks, the Rector Ransomware also can be identified through its automated network communications. Open network ports, particularly port 3389, may be symptoms of the presence of the Rector Ransomware or similar network-capable Trojans.

Even though there are pieces of evidence indicating that the Rector Ransomware campaigns have become linked to compromised terminal servers, malware analysts haven't identified all of the Rector Ransomware's possible transmission methods. Regardless of how the Rector Ransomware installs itself, deleting the Rector Ransomware and disinfecting your PC should be a security priority, even over preserving any endangered file data. In cases where free utilities are inadequate at reversing the Rector Ransomware's attacks, victims can further protect themselves by using remote storage solutions for any files at risk.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



C:\WINDOWS\system32\uxtheme.dll File name: C:\WINDOWS\system32\uxtheme.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\MSCTF.dll File name: C:\WINDOWS\system32\MSCTF.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\usp10.dll File name: C:\WINDOWS\system32\usp10.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\lpk.dll File name: C:\WINDOWS\system32\lpk.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\imm32.dll File name: C:\WINDOWS\system32\imm32.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file

Related Posts

Loading...