Reha Ransomware

Posted: January 24, 2020

Reha Ransomware Description

The Reha Ransomware is a file-locking Trojan that can keep media such as documents, pictures or databases from opening. This encryption attack is, generally, irreversible without the threat actor's ransom-based help, which is an inherently risky service. Users can preserve their files more effectively with well-stored backups, and possession of anti-malware software for stopping and removing the Reha Ransomware.

The Trojans that will not 'STOP' Ransoming Your Work

Although file-locking Trojans of other origins are also extant, Ransomware-as-a-Service families are prominent sources of the particularly. Groups with high levels of activity include the Scarab Ransomware, the Globe Ransomware, and the STOP Ransomware, the latter of which has the most rapidly-evolving version iteration. In 2020, the Reha Ransomware is one of the newest of this family, although it follows innumerable others, such as the Hets Ransomware, the Nbes Ransomware, the Peet Ransomware and the older Djvu Ransomware.
The Reha Ransomware belongs to version 0199 of the series of Trojans, which, although it's not the most recent build, is newer than nearly all prior samples. It targets Windows environments, including both coincidentally-compromised users' PCs and business-owned servers, with a series of attacks intended for ransoming money out of the victim. Primary features that all victims are at risk from include:

  • The AES and RSA data encryption 'locks' files of ransom-worthy formats like Word documents, spreadsheets or various pictures After stopping the file from opening this way, the Trojan also adds a different extension to the name ('reha,' in this case).
  • The Reha Ransomware also can wipe the Restore Points and other, Shadow Volume Copy-related backup information, for preventing the media's recovery.
  • Some STOP Ransomware infections also include threat-downloading functionality for collecting passwords and other credentials. The attack could facilitate lateral traversal throughout a network, among other issues.
  • The Reha Ransomware creates TXT (Notepad text) ransom notes automatically, which sell the decryption-based unlocking service of the threat actor. Although there is a deadline for getting a 'low' ransom price, the criminals also have no issues with taking the payment without restoring files, in many cases.

A non-localized backup is, ultimately, the safest and most reliable method of recovering any media that the Trojan locks.

Staying a Step Ahead of Fast-Updating Trojans

The STOP Ransomware can compromise users by any means preferable to the threat actor who's hiring the Trojan family. In old campaigns, malware researchers see techniques emphasizing psychological exploitation. Examples include fake software updates on Web advertising networks, pirated software downloads on torrent networks, and falsified e-mail attachments imitating invoices or resumes. Safe Web-browsing behavior, updating software through official sources, and using strong passwords, will cut the risk of the Reha Ransomware infections significantly.

Server administrators also should maintain scrutiny over versions for software related to server infrastructure, particularly, packages with publicly-exposed vulnerabilities. Through means such as Oracle WebLogic's CVE-2017-10271 or Drupal's CVE-2018-7600, attacks can compromise a target without requiring the user's opening a corrupted file. The use of factory-default or otherwise-simple passwords also should be discouraged.

This family's encryption routine is secure, in most attacks, against third-party reversal by a decryption program. Most anti-malware products will wipe out the Reha Ransomware or block installation-related exploits for the Trojan equally easily, however.

The Reha Ransomware's creation is a renewal of an exploitation-based business model that searches for weak targets and takes advantage of bad habits like 'forgetting' a backup. Accordingly, putting a 'STOP' in the STOP Ransomware needs little more than users being more responsible with how they save their work.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Reha Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Related Posts

Home Malware Programs Ransomware Reha Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.