Home Malware Programs Ransomware Razy Ransomware

Razy Ransomware

Posted: August 1, 2016

Threat Metric

Threat Level: 10/10
Infected PCs: 51
First Seen: August 1, 2016
OS(es) Affected: Windows

The Razy Ransomware is a Trojan that encrypts your content and may display ransom messages selling its victims a decryption service. Contrary to the implications of its ransom notes, the Razy Ransomware uses an encryption method that does not preserve critical data required for restoring the affected files, and malware experts recommend not paying its fee particularly. You should delete the Razy Ransomware through the usual anti-malware procedures and restore your content from any available backups.

When Your Files Start Razzing You

Most online and threat hoaxes struggle to balance the internal tensions between authenticity and misappropriated profitability, but nowhere is that trait more observable than with Trojans dedicated to ransoming data. Malware researchers have seen different threat authors responding to these issues in diverse ways, such as faking encryption attacks, claiming that their encryption algorithms are stronger than they are, and even misrepresenting deleted files as encrypted ones. The new Razy Ransomware shows another way Trojan developers can manipulate their victims for making money.

A German developer created the Razy Ransomware for supposedly educational purposes originally, with links to early builds provided in his first sources. Although the developer claims not to be using the Trojan for attack campaigns, remote attackers have begun distributing the Razy Ransomware through unknown methods, infecting PC users seemingly arbitrarily.

The Razy Ransomware uses some features that it 'borrows' from the Cerber Ransomware, but malware experts determined that it's notably different from that Trojan regarding how it encrypts data. Instead of targeting files by their formats, the Razy Ransomware targets all content inside the following Windows directories:

  • Desktop
  • Documents
  • Music
  • Pictures
  • Videos

The Razy Ransomware sends files in these folders through an AES encryption routine but discards the key needed for decrypting the content and restoring it. Despite that unusual step (either an oversight or an intentional, malicious act), the Razy Ransomware still displays ransom messages that offer to sell its victims a decryption service. Unlike the Cerber Ransomware, the Razy Ransomware doesn't use a live countdown to determine further actions, such as increases in ransoms or launching new attacks.

Taking the Sting out of Being Razzed by Trojans

The Razy Ransomware infections are identifiable by their Cerber Ransomware-inspired ransom messages, their additional text-to-speech functions, and their appending of '.the Razy' extensions to encrypted content in the locations mentioned above. With its original developer disclaiming any knowledge of this threat's still-unidentified distribution model, the PC security sector will need time to determine whether the Razy Ransomware is installing itself by e-mail attachments, spam links, drive-by-downloads or other methods.

Since there is no gain from paying the Razy Ransomware's ransom, malware experts suggest regarding all encrypted files as being de facto deleted. The irreversible nature of the Razy Ransomware's attack, while rare, is not unheard of among other Trojans of the same category, and is best counteracted by keeping backups out of the reach of an infection. Traditional solutions include removable storage devices and cloud storage.

Deleting the Razy Ransomware with your installed anti-malware products will not restore any encrypted content, but will prevent the Trojan from damaging any newly-introduced data in the targeted locations. The Razy Ransomware is only compatible with Windows currently and targets files pertinent to Windows users, although it doesn't harm the folder in use for the Windows operating system. Until its campaign's distribution is detected and curtailed, Windows users will need to be especially aware of the dangers behind paying for what should be theirs in the first place.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



file.exe File name: file.exe
Size: 946.68 KB (946688 bytes)
MD5: ec9c3efe831aaa203058927df7de6138
Detection count: 61
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: November 15, 2016
file.exe File name: file.exe
Size: 163.84 KB (163840 bytes)
MD5: 93e551a1f52faea0d90ab9cd3d524ae9
Detection count: 49
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: August 2, 2016

Related Posts

Loading...