Experienced security professionals discovered a new variant of ransomware which named .RYK ransomware. It appends the .RYK extension to encrypted file names. This post will provide you a brief summary of information related to this new ransomware and how to recover all encrypted files for free.
Immediately after the launch, the .RYK ransomware scans all available drives, including network and cloud storage, to determine which files will be encrypted. The ransomware uses the file name extension, as a method to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.png, .sid, .wm, .xls, .cfr, .mddata, .wpb, .m4a, .mlx, .pfx, .fpk, .y, .wcf, .wbk, .wbmp, .xx, .wotreplay, .3ds, .p7b, .wpd, .jpg, .flv, .p7c, .upk, .doc, .xlsb, .psk, .tax, .sr2, .zdb, .ibank, .mrwref, .mdf, .odt, .mp4, .wp7, .der, .wpt, .xdb, .wps, .pkpass, .odb, .iwi, .bkp, .fsh, .wdb, .ff, .wmv, .srf, .dmp, .orf, .xll, .xlsm, .pak, .rar, .pptx, .xmind, .hplg, .sav, .vcf, .kdc, .bay, .xlk, .vdf, .db0, .zdc, .rwl, .zip, .lbf, .xml, .snx, .wpg, .sis, .wma, .esm, .webdoc, .vfs0, .bkf, .wpe, .lrf, .pem, .nrw, .wsh, .crt, .sie, .ppt, .bik, .rim, .dazip, .layout, .cr2, .sidn, .rtf, .qdf, .xlsx, .docx, .xld, .xlsx, .p12, .odp, .pdf, .sidd, .wmo, .avi, .blob, .bar, .hkdb, .m2, .wri, .xlgc, .ods, .indd, .zi, .2bp, .wgz, .srw, .vpp_pc, .lvl, .xmmap, .wbc, .wma, .w3x, .bc7, .mov, .r3d, .accdb, .wp5, .forge, .eps, .wp6, .ai, .ntl, .epk, .wsc, .odm, .itl, .raw, .jpeg, .arw, .sum, .x3f, .fos, .iwd, .m3u, .css, .wmf, .big, .wps, .pef, .yml, .dcr, .re4, .xar, .t12, .cer, .gdb, .erf, .xbplate, .rofl, .dbf, .dxg, .1st, .wpa, .wpl, .zabw, .wav, .mcmeta, .wpw, .mef, .asset, .webp, .map, .z, .arch00, .mdbackup, .jpe, wallet, .xy3, .wbd, .tor, .kdb, .xls, .xyw, .cas, .x, .hkx, .wn, .ltx, .wmd, .wdp, .xpm, .wbz, .wmv, .hvpl, .odc, .vtf, .rb, .bsa, .ysp, .xxx, .xf, .xlsm, .0, .ws, .zif, .dba, .1, .t13, .sql, .txt, .sb, .icxs, .qic, .3dm, .itm, .wpd, .dwg, .ptx, .wire, .das, .7z, .x3f, .slm, .zw, .3fr, .svg, .bc6, .gho, .xdl, .zip, .ztmp, .csv, .mpqge, .wp4, .pst, .wsd, .cdr, .menu, .mdb, .js, .psd, .wbm, .wb2, .itdb, .crw, .d3dbsp, .raf, .litemod, .py, .xwp, .xyp, .vpk, .rgss3a, .kf, .wot, .wp, .xbdoc, .x3d, .syncdb, .desc, .pptm, .pdd, .z3d, .dng, .yal, .apk
Once a file is encrypted, its extension replaced to .RYK. Next, the ransomware virus creates a file named ‘RyukReadMe.txt’. This file contain a tutorial on how to decrypt all encrypted photos, documents and music. You can see an one of the variants of the ransom demanding message below:
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at CharlstonParkwji@protonmail.com or Huntingdonu@tutanota.com You will receive btc address for payment in the reply letter Ryuk No system is safe
Unfortunately, at this time, victims of the .RYK ransomware virus cannot decrypt encrypted documents, photos and music without the actual encryption key. But you can use our tutorial below to scan for and delete .RYK ransomware virus from your computer as well as restore encrypted personal files for free.
Table of contents
- How to decrypt .RYK files
- How to remove .RYK ransomware virus
- How to restore .RYK files
- How to protect PC from .RYK ransomware
How to decrypt .RYK files
The .RYK ransomware offers to make a payment in Bitcoins to get a key to decrypt files. Important to know, currently not possible to decrypt .RYK files without the private key and decrypt program. If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all documents, photos and music! In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
If you do not want to pay for a decryption key, then you have a chance to restore encrypted photos, documents and music for free.
How to remove .RYK ransomware virus
Most commonly it is not possible to get rid of the .RYK ransomware virus manually. For that reason, our team designed several removal methods which we’ve combined in a detailed instructions below. Therefore, if you have the .RYK ransomware on your personal computer and are currently trying to have it removed then feel free to follow the step-by-step tutorial below in order to resolve your problem. Some of the steps will require you to restart your computer or close this webpage. So, read this guide carefully, then bookmark or print it for later reference.
Remove RYK ransomware with Zemana Anti-malware
You can remove RYK ransomware virus automatically with a help of Zemana Anti-malware. We recommend this malware removal utility because it can easily delete ransomware viruses and other malware with all their components such as folders, files and registry entries.
- Visit the page linked below to download Zemana Anti-Malware (ZAM). Save it to your Desktop so that you can access the file easily.
Author: Zemana Ltd
Category: Security tools
Update: February 14, 2019
- Once downloading is finished, close all programs and windows on your system. Open a file location. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, click Next button and follow the prompts.
- Once installation is finished, press the “Scan” button to perform a system scan with this utility for the RYK ransomware and other security threats. A system scan may take anywhere from 5 to 30 minutes, depending on your computer. While the utility is checking, you can see number of objects and files has already scanned.
- After the scanning is finished, Zemana Anti Malware will display you the results. Review the results once the tool has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next”. When the task is done, you can be prompted to reboot your computer.
Remove .RYK ransomware virus with MalwareBytes Free
You can remove .RYK ransomware virus automatically through the use of MalwareBytes Free. We advise this free malware removal tool because it may easily get rid of virus, adware, malware and other undesired programs with all their components such as files, folders and registry entries.
- Download MalwareBytes Anti Malware (MBAM) by clicking on the link below.
Category: Security tools
Update: February 5, 2019
- At the download page, click on the Download button. Your web-browser will show the “Save as” prompt. Please save it onto your Windows desktop.
- After the downloading process is finished, please close all programs and open windows on your system. Double-click on the icon that’s named mb3-setup.
- This will launch the “Setup wizard” of MalwareBytes Anti Malware (MBAM) onto your PC. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Anti Malware (MBAM) will open and display the main window.
- Further, click the “Scan Now” button . MalwareBytes Anti Malware program will scan through the whole personal computer for the .RYK ransomware virus and other kinds of potential threats. Depending on your computer, the scan can take anywhere from a few minutes to close to an hour.
- After the scan get completed, you can check all threats found on your personal computer.
- Next, you need to click the “Quarantine Selected” button. Once the clean up is complete, you may be prompted to restart the machine.
- Close the Anti-Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Remove .RYK ransomware virus from computer with KVRT
KVRT is a free removal tool which can check your PC for a wide range of security threats such as the .RYK ransomware virus, adware, PUPs as well as other malware. It will perform a deep scan of your computer including hard drives and Windows registry. When a malware is detected, it will help you to remove all detected threats from your computer with a simple click.
Download Kaspersky virus removal tool (KVRT) from the link below. Save it on your Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is complete, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you’ll see the Kaspersky virus removal tool screen as shown in the following example.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button to scan for .RYK ransomware virus and other malware. This process may take quite a while, so please be patient. While the Kaspersky virus removal tool tool is checking, you can see how many objects it has identified as being affected by malicious software.
After the system scan is complete, the results are displayed in the scan report like below.
In order to remove all threats, simply press on Continue to start a cleaning task.
How to restore .RYK files
In some cases, you can recover files encrypted by .RYK ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Use shadow copies to restore .RYK files
If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.
Please go to the link below to download the latest version of ShadowExplorer for Microsoft Windows. Save it on your Windows desktop.
Category: Security tools
Update: February 27, 2018
Once downloading is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the screen below.
Start the ShadowExplorer tool and then select the disk (1) and the date (2) that you want to recover the shadow copy of file(s) encrypted by the .RYK ransomware virus as on the image below.
Now navigate to the file or folder that you want to recover. When ready right-click on it and click ‘Export’ button like below.
Use PhotoRec to recover .RYK files
Before a file is encrypted, the .RYK ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file restore programs like PhotoRec.
Download PhotoRec on your Microsoft Windows Desktop from the link below.
Category: Security tools
Update: March 1, 2018
Once downloading is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a screen as displayed in the figure below.
Choose a drive to recover as displayed below.
You will see a list of available partitions. Select a partition that holds encrypted files as on the image below.
Press File Formats button and select file types to restore. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, press Browse button to select where restored files should be written, then click Search.
Count of restored files is updated in real time. All recovered documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is complete, press on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents as shown in the following example.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect PC from .RYK ransomware
Most antivirus apps already have built-in protection system against the virus. Therefore, if your personal computer does not have an antivirus application, make sure you install it. As an extra protection, use the CryptoPrevent.
Run CryptoPrevent to protect your PC from .RYK ransomware virus
Download CryptoPrevent from the link below. Save it on your Microsoft Windows desktop.
Run it and follow the setup wizard. Once the installation is finished, you will be shown a window where you can choose a level of protection, as on the image below.
Now click the Apply button to activate the protection.
Once you’ve done the tutorial outlined above, your PC system should be clean from .RYK ransomware virus and other malicious software. Your PC system will no longer encrypt your files. Unfortunately, if the steps does not help you, then you have caught a new variant of ransomware, and then the best way – ask for help here.