Cyber security professionals discovered a new variant of ransomware that named ‘Rezuc ransomware‘. It appends the .rezuc file extension to encrypted file names. Read below a brief summary of information related to this ransomware and how to restore or decrypt .rezuc files for free.
Files encrypted by .Rezuc ransomware
What is ‘.Rezuc ransomware virus’? It is a malware that encrypts files using a strong encryption method, preventing access to them. It will encrypt almost all types of files, including common as:
.ppt, .wsh, .lvl, .das, .fpk, .hkdb, .wpg, .odt, .pkpass, .bkf, .wps, wallet, .db0, .iwi, .raw, .wma, .kf, .forge, .wp5, .bsa, .ws, .rtf, .fsh, .mef, .0, .bar, .wpa, .xyp, .wmv, .xlk, .xmmap, .hkx, .wp6, .xld, .xyw, .sum, .wmf, .crw, .mrwref, .dxg, .txt, .dmp, .arch00, .srf, .webp, .dazip, .cfr, .re4, .hplg, .svg, .ysp, .m4a, .pef, .odp, .zip, .xbdoc, .desc, .wdb, .arw, .xxx, .tor, .xwp, .cdr, .icxs, .wmv, .mp4, .wpt, .odm, .y, .map, .xlsx, .avi, .erf, .p7b, .vpk, .ptx, .sr2, .vpp_pc, .esm, .flv, .sid, .mddata, .xbplate, .dng, .pfx, .xlsm, .1, .wp4, .wp, .wpd, .wpe, .rofl, .bkp, .ztmp, .zabw, .gdb, .lrf, .3dm, .wbd, .wm, .cr2, .rwl, .wbk, .wgz, .fos, .sql, .apk, .zw, .wri, .sav, .docx, .js, .wpb, .cas, .bay, .ff, .kdc, .xml, .der, .jpeg, .dbf, .xls, .m2, .kdb, .ntl, .syncdb, .asset, .itl, .xdl, .pdf, .p7c, .mdf, .docm, .wpw, .pem, .m3u, .mdbackup, .pptx, .xlgc, .raf, .yal, .qdf, .xpm, .psd, .nrw, .rb, .1st, .wav, .ibank, .z, .py, .webdoc, .mlx, .d3dbsp, .rw2, .qic, .indd, .menu, .w3x, .wbz, .ai, .ybk, .crt, .cer, .zdc, .pak, .vdf, .sb, .wbm, .wot, .blob, .layout, .big, .x, .wn, .7z, .doc, .upk, .wp7, .wps, .x3f, .3fr, .rar, .xf, .ods, .pdd, .xdb, .p12, .wbc, .dcr, .accdb, .bc6, .pst, .tax, .litemod, .wmd
When encrypting a file it will append the .rezuc extension to every encrypted file name to identify that the file has been encrypted. For example, a file called sample.doc would be encrypted and renamed to sample.doc.rezuc.
When the encryption procedure is finished, the malicious software leaves a ransomnote named ‘_readme.txt’ with instructions on how to purchase a private key to decrypt all photos, documents and music. An example of the ransomnote is:
Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-mVSS8cJcv3 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | .Rezuc ransomware |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Encrypted files extension | .rezuc |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch, @datarestore (telegram), bufalo@firemail.cc |
| Ransom amount | $980, $490 in Bitcoins |
| Symptoms |
|
| Removal | To remove .Rezuc ransomware use the removal guide |
| Decryption | To decrypt .Rezuc ransomware use the steps |
Therefore it is very important to follow the tutorial below without a wait. The few simple steps will assist you to delete .Rezuc ransomware virus. What is more, the guide below will help you recover (decrypt) encrypted personal files for free.
Quick links
- How to remove .Rezuc ransomware
- How to decrypt .rezuc files
- Use STOPDecrypter to decrypt .rezuc files
- How to restore .rezuc files
- How to protect your PC from .Rezuc ransomware?
- Finish words
How to remove .Rezuc ransomware
We can assist you remove .Rezuc ransomware, without the need to take your PC system to a professional. Simply follow the removal guide below if you currently have the ransomware virus on your PC system and want to get rid of it. If you’ve any difficulty while trying to remove the ransomware, feel free to ask for our assist in the comment section below. Read it once, after doing so, please print this page as you may need to close your web-browser or reboot your PC system.
Use Zemana Anti-malware to remove .Rezuc ransomware
We recommend using the Zemana Anti-malware that are completely clean your computer of ransomware. The utility is an advanced malicious software removal application designed by (c) Zemana lab. It is able to help you delete potentially unwanted apps, ransomwares, adware, malware, trojans, worms and other security threats from your system for free.
Visit the following page to download Zemana Anti-Malware (ZAM). Save it directly to your Windows Desktop.
164979 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After downloading is finished, close all software and windows on your system. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup as shown below.
When the setup begins, you will see the “Setup wizard” that will help you install Zemana AntiMalware (ZAM) on your PC.
Once setup is finished, you will see window as shown in the following example.
Now click the “Scan” button to perform a system scan with this tool for the .Rezuc ransomware related files, folders and registry keys. A system scan can take anywhere from 5 to 30 minutes, depending on your computer. When a threat is detected, the count of the security threats will change accordingly.
When the scanning is finished, Zemana Anti-Malware will display you the results. Review the results once the tool has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next” button.
The Zemana will remove .Rezuc ransomware virus, other malicious software, worms and trojans and move threats to the program’s quarantine.
Automatically remove .Rezuc ransomware virus with MalwareBytes
Get rid of .Rezuc ransomware virus manually is difficult and often the ransomware virus is not completely removed. Therefore, we suggest you to run the MalwareBytes which are fully clean your PC system. Moreover, this free application will allow you to remove malicious software, trojans, worms and adware that your machine may be infected too.
- MalwareBytes Free can be downloaded from the following link. Save it directly to your MS Windows Desktop.
Malwarebytes Anti-malware
327222 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your web browser will show the “Save as” prompt. Please save it onto your Windows desktop.
- After the downloading process is finished, please close all apps and open windows on your computer. Double-click on the icon that’s named mb3-setup.
- This will launch the “Setup wizard” of MalwareBytes Free onto your machine. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Anti Malware will start and show the main window.
- Further, press the “Scan Now” button to begin checking your computer for the .Rezuc ransomware virus, other malicious software, worms and trojans. A system scan can take anywhere from 5 to 30 minutes, depending on your system. While the MalwareBytes AntiMalware (MBAM) program is checking, you may see how many objects it has identified as threat.
- After MalwareBytes completes the scan, MalwareBytes Anti Malware will produce a list of undesired programs adware software.
- Make sure all threats have ‘checkmark’ and click the “Quarantine Selected” button. When finished, you may be prompted to restart the computer.
- Close the Anti Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Scan and clean your PC of ransomware with KVRT
KVRT is a free portable program that scans your personal computer for trojans, PUPs and ransomware viruses such as the .Rezuc ransomware and helps remove them easily. Moreover, it will also help you delete any malicious web browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) on your PC by clicking on the link below.
129279 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is complete, double-click on the KVRT icon. Once initialization procedure is finished, you will see the KVRT screen as displayed on the screen below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the .Rezuc ransomware virus and other malware. A system scan can take anywhere from 5 to 30 minutes, depending on your computer. When a malicious software, trojan or ransomware are found, the number of the security threats will change accordingly.
Once KVRT completes the scan, the results are displayed in the scan report as shown on the image below.
You may remove items (move to Quarantine) by simply click on Continue to begin a cleaning task.
How to decrypt .rezuc files
The .Rezuc ransomware uses very strong hybrid encryption with a large key. What does it mean to decrypt the files is impossible without the private key. Use a “brute forcing” is also not a solution because of the big length of the key. Therefore, unfortunately, the only payment to the authors of the .Rezuc ransomware entire amount requested – the only method to try to get the decryption key and decrypt all your files.
If your documents, photos and music have been encrypted by the .Rezuc ransomware virus, We advises: do not to pay the ransom. If this malicious software make money for its developers, then your payment will only increase attacks against you. Of course, decryption without the private key is not feasible, but that does not mean that the .Rezuc ransomware must seriously disrupt your live.
Files encrypted by .Rezuc ransomware
With some variants of the Rezuc ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .rezuc files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.rezuc).
Please check the twitter post for more info.
How to restore .rezuc files
In some cases, you can restore files encrypted by .Rezuc ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Run ShadowExplorer to recover .rezuc files
A free utility called ShadowExplorer is a simple method to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can restore .rezuc files encrypted by the .Rezuc ransomware from Shadow Copies for free.
Download ShadowExplorer from the following link. Save it directly to your MS Windows Desktop.
439621 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is finished, extract the saved file to a folder on your PC. This will create the necessary files as shown on the image below.
Start the ShadowExplorerPortable program. Now select the date (2) that you want to recover from and the drive (1) you wish to recover files (folders) from as shown on the screen below.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and click the Export button as shown in the figure below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Restore .rezuc files with PhotoRec
Before a file is encrypted, the .Rezuc ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your personal files using file recover apps like PhotoRec.
Download PhotoRec from the link below. Save it to your Desktop so that you can access the file easily.
When the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will open a screen as shown on the screen below.
Select a drive to recover as displayed on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music as on the image below.
Click File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is complete, click OK button.
Next, press Browse button to select where restored personal files should be written, then press Search.
Count of recovered files is updated in real time. All recovered photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where restored files are stored. You will see a contents as on the image below.
All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC from .Rezuc ransomware?
Most antivirus software already have built-in protection system against the ransomware. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your system from .Rezuc ransomware
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
HitmanPro.Alert can be downloaded from the following link. Save it on your Windows desktop.
Once the downloading process is finished, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the utility is started, you’ll be shown a window where you can select a level of protection, like below.
Now click the Install button to activate the protection.
Finish words
Now your PC should be free of the .Rezuc ransomware. Remove MalwareBytes Anti Malware and KVRT. We advise that you keep Zemana (to periodically scan your system for new malicious software). Moreover, to prevent ransomware virus, please stay clear of unknown and third party applications, make sure that your antivirus program, turn on the option to block or detect ransomware.
If you need more help with .Rezuc ransomware virus related issues, go to here.
