Rektware Ransomware

Posted: September 17, 2018

The Rektware Ransomware is a file-locking Trojan that can encrypt and rename your files, change their icons, and generate pop-up warnings. While the current versions of the Rektware Ransomware don't ask for a ransom, future builds are more likely than not of demanding money before giving you a decryption service. Have backups on other devices for securing your files against these attacks, and allow your anti-malware products to remove the Rektware Ransomware whenever they detect it.

Trojans Telling Your Files to Get 'Rekt'

A rare case of a file-locker Trojan with no lineage associated with freeware, such as Hidden Tear, or RaaS, black market entities like the pseudo-Russian Scarab Ransomware, is under development and may be ready for release soon. The Rektware Ransomware is an independent threat that includes the usual file-locking characteristics of the many, more significant Trojans in its classification. However, it lacks what most criminals would consider as being the most important thing: the ransom instructions currently.

The Rektware Ransomware attacks media formats such as JPG pictures, Excel spreadsheets, Word documents, and similar content, in directories such as the desktop and the Windows user account's folders especially. Although malware experts are hesitant to draw any conclusions about the security of its cryptography, this threat's payload is functional regarding the encryption and the locking of data. While it's running the attack, the Rektware Ransomware sets itself apart from the average file-locker Trojan by appending semi-random extensions of seven characters for anything it blocks, along with hijacking the icons and replacing them with one depicting a black-and-red blob.

The Rektware Ransomware's name is from the e-mail address that it promotes in the pop-up alert it creates after finishing the locking of your data. While the address uses a Russian service, the simple instructions for a supposedly 'free' decryption solution are in English. Besides a contact ID, which is traditional for RaaS families like the Globe Ransomware, the Scarab Ransomware or the Crysis Ransomware, the Rektware Ransomware provides no other information.

Checking Yourself Before You Wreck Your Files

The Rektware Ransomware could be an unusual example of a file-locker Trojan whose development is recreational purely, rather than financial, and it's not impossible that the threat actor will continue providing a free decryption help. However, most file-locker Trojans do transition over into requesting ransoms before giving back the decryptor or the decryption code, and malware experts recommend taking appropriate precautions against such attacks. Always back up your work to password-guarded cloud drives or removable storage for guaranteeing its long-term safety from non-consensual encryption.

Some threat actors for small-scale campaigns, especially, use compromised websites or torrents for dropping file-locker Trojans onto the victims' computers. In a more targeted fashion, however, they also can use brute-force attacks or e-mail attachments for compromising a vulnerable network. Update your anti-malware programs regularly for deleting the Rektware Ransomware with optimal accuracy, since malware experts have yet to determine the industry-wide rates of detection for this threat.

The Rektware Ransomware could be a for-profit Trojan-in-progress, a joke, or even an educational demonstration like the KCTF Locker Ransomware. Its reasons for coming into being are less relevant to anyone affected by its attacks as are whether or not they practice proper media storage practices.