A new variant of Stoneland@firemail.cc ransomware has been discovered by experienced security professionals. It appends the .redmat file extension to encrypted files. This ransomware targets computers running Microsoft Windows by spam emails, malicious software or manually installing the ransomware. Here’s everything you need to know about this ransomware, how to remove Redmat file virus and how to restore (decrypt) encrypted personal files for free.
Redmat ransomware virus is a malicious software that encrypts photos, documents and music using an unbreakable ‘key’ that only the software developers knows. It forces you to pay a ransom to decrypt them. It is known to encrypt almost all file types, including files with extensions:
.csv, .wpl, .sr2, .xls, .y, .pdd, .sidd, .wsd, .dazip, .x3d, .fsh, .pkpass, .icxs, .rim, .rtf, .gho, .wn, .epk, .odc, .txt, .das, .der, .syncdb, .eps, .xdl, .yal, .srw, .3dm, .raw, .wbz, .dcr, .2bp, .qic, .wdp, .wp7, .arw, .mcmeta, .layout, .crt, .wma, .xlsb, .vcf, .wp6, .p7c, .mpqge, .wb2, .wpb, .desc, .ai, .1st, .wmv, .pef, .xll, .wpw, .nrw, .vpp_pc, .iwi, .xml, .jpg, .fpk, .ibank, .asset, .xxx, .fos, .wsh, .x3f, .mdf, .pem, .kf, .upk, .zif, .wpd, .zip, .itm, .pptm, .map, .d3dbsp, .sav, .jpeg, .wpt, .wm, .xdb, .pdf, .xlsx, .jpe, .sum, .dba, .zdc, .wpg, .mdbackup, .wmf, .ff, .doc, .odp, .blob, .snx, .vpk, .m4a, .pak, .svg, .png, .zw, .0, .xmmap, .wri, .sql, .rw2, .zabw, .vfs0, .zi, .xlgc, .wot, .dwg, .wpe, .wpd, .wmo, .7z, .psd, .forge, .wbm, .wma, .pst, .indd, .ws, .zip, .xlsm, .3fr, .t13, .hplg, .wmd, wallet, .xlk, .lvl, .dmp, .ntl, .wgz, .cr2, .bsa, .xlsx, .wdb, .bkf, .tax, .wire, .sidn, .wbmp, .cdr, .itdb, .accdb, .rofl, .wbc, .lbf, .wmv, .w3x, .wav, .ysp, .psk, .t12, .xyw, .mov, .ybk, .bc6, .bik, .flv, .menu, .esm, .qdf, .tor, .p7b, .wotreplay, .wcf, .wsc, .bkp, .mrwref, .ppt, .ltx, .p12, .dng, .xmind, .m3u, .xf, .webp, .odb, .wp, .wp4, .iwd, .ncf, .xlsm, .x, .1, .wbk, .ptx, .kdb, .sb, .big, .srf, .xbdoc, .slm, .m2, .sie, .gdb, .xpm, .dxg, .bay, .xy3, .sid, .odm, .cas, .xld, .odt, .pptx, .wps, .sis, .apk, .vdf, .orf, .crw, .docx, .yml, .mef, .pfx, .wp5, .xls, .x3f, .bar, .3ds, .db0, .docm, .cfr, .mdb
Upon successful encryption, it appends the .redmat extension to the file name of its encrypted file. The ransomware also creates a text file named ‘_readme.txt’ in each folder. This file is a ransomnote. The ransomnote asks for money in the form of bitcoins. The content of the ransom demanding message is below:
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-7AKxZTQTdy Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
Name | Redmat |
Type | Ransomware, Filecoder, Crypto virus, File locker |
Encrypted files extension | .redmat |
Ransom note | _readme.txt |
Contact | @datarestore (telegram), gorentos@bitmessage.ch, stoneland@firemail.cc |
Ransom amount | $490, $980 in Bitcoins |
Symptoms |
|
Removal | To remove Redmat ransomware use the removal guide |
Decryption | To decrypt Redmat ransomware use the steps |
In the steps below, I have outlined few methods that you can use to remove Redmat crypto malware from your computer and restore (decrypt) .redmat files using only free software.
Quick links
- How to remove Redmat ransomware virus
- How to decrypt .redmat files
- Use STOPDecrypter to decrypt .redmat files
- How to restore .redmat files
- How to protect your machine from Redmat ransomware?
- To sum up
How to remove Redmat ransomware virus
IT security experts have built efficient malware removal tools to help users in deleting Ransomware, trojans and worms. Below we will share with you the best malware removal tools with the ability to search for and remove Redmat crypto virus and other malware.
Run Zemana Anti-malware to remove Redmat ransomware
We suggest using the Zemana Anti-malware that are completely clean your computer of the Redmat ransomware virus. The utility is an advanced malware removal program made by (c) Zemana lab. It is able to help you get rid of PUPs, ransomwares, adware software, malicious software, toolbars, ransomware and other security threats from your computer for free.
Zemana can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
164113 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once the download is finished, close all windows on your computer. Further, run the install file called Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as shown below, click the “Yes” button.
It will show the “Setup wizard” which will help you install Zemana Anti Malware (ZAM) on the PC system. Follow the prompts and do not make any changes to default settings.
Once installation is finished successfully, Zemana Anti Malware will automatically start and you can see its main window as shown in the following example.
Next, click the “Scan” button to search for Redmat ransomware and other security threats. While the utility is checking, you can see number of objects and files has already scanned.
After the scan get completed, the results are displayed in the scan report. Review the report and then press “Next” button.
The Zemana AntiMalware will remove Redmat ransomware related files, folders and registry keys and move items to the program’s quarantine. Once the cleaning process is finished, you can be prompted to restart your computer.
Remove .Redmat ransomware with MalwareBytes AntiMalware
Delete Redmat ransomware virus manually is difficult and often the ransomware virus is not fully removed. Therefore, we suggest you to run the MalwareBytes AntiMalware which are completely clean your system. Moreover, this free program will help you to get rid of malicious software, trojans, worms and adware that your system can be infected too.
- Download MalwareBytes AntiMalware (MBAM) by clicking on the following link. Save it on your Desktop.
Malwarebytes Anti-malware
326464 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your web browser will show the “Save as” prompt. Please save it onto your Windows desktop.
- Once the download is finished, please close all software and open windows on your personal computer. Double-click on the icon that’s named mb3-setup.
- This will start the “Setup wizard” of MalwareBytes Free onto your PC. Follow the prompts and do not make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes Anti-Malware (MBAM) will open and display the main window.
- Further, click the “Scan Now” button for checking your computer for the Redmat ransomware virus related files, folders and registry keys. This procedure can take some time, so please be patient. When a malicious software, adware or potentially unwanted applications are detected, the count of the security threats will change accordingly.
- After the scan is finished, MalwareBytes will create a list of malicious software.
- In order to remove all items, simply click the “Quarantine Selected” button. After that process is finished, you may be prompted to restart the PC.
- Close the Anti Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Run KVRT to remove .Redmat file virus
KVRT is a free removal utility that may be downloaded and use to remove ransomwares, adware, malicious software, PUPs, toolbars and other threats from your personal computer. You can run this utility to detect threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) on your system from the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is done, double-click on the Kaspersky virus removal tool icon. Once initialization process is done, you’ll see the KVRT screen as shown below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to begin checking your computer for the Redmat crypto virus and other malicious software. While the KVRT is scanning, you can see how many objects it has identified either as being malware.
Once the scan get finished, the results are displayed in the scan report as on the image below.
Review the results once the tool has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press on Continue to begin a cleaning procedure.
How to decrypt .redmat files
The encryption mode is so strong that it is practically impossible to decrypt .redmat files without the actual encryption key.
We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new crypto malware.
With some variants of the Redmat ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .redmat files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.redmat).
Please check the twitter post for more info.
How to restore .redmat files
In some cases, you can restore files encrypted by Redmat crypto virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted photos, documents and music.
Use shadow copies to restore .redmat files
An alternative is to restore .redmat photos, documents and music from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that Microsoft Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing documents, photos and music that were damaged by Redmat ransomware virus. The tutorial below will give you all the details.
Download ShadowExplorer by clicking on the link below.
438824 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the image below.
Launch the ShadowExplorer tool and then select the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the Redmat ransomware like below.
Now navigate to the file or folder that you want to recover. When ready right-click on it and click ‘Export’ button as displayed on the screen below.
Use PhotoRec to recover .redmat files
Before a file is encrypted, the Redmat ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file recover programs such as PhotoRec.
Download PhotoRec by clicking on the following link.
After the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the screen below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will display a screen as on the image below.
Choose a drive to recover as shown below.
You will see a list of available partitions. Choose a partition that holds encrypted personal files as shown in the following example.
Click File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is done, click OK button.
Next, press Browse button to choose where recovered photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, click on Quit button. Next, open the directory where restored files are stored. You will see a contents as shown on the screen below.
All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your machine from Redmat ransomware?
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your personal computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your PC from Redmat ransomware
HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Please go to the link below to download the latest version of HitmanPro.Alert for Microsoft Windows. Save it to your Desktop so that you can access the file easily.
Once downloading is complete, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the utility is opened, you’ll be shown a window where you can choose a level of protection, like below.
Now click the Install button to activate the protection.
To sum up
Now your PC system should be clean of the Redmat ransomware. Delete KVRT and MalwareBytes. We recommend that you keep Zemana Anti-Malware (to periodically scan your personal computer for new malicious software). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to get rid of Redmat ransomware from your computer, then ask for help here.