Suddenly .reco extension was added at the end of the file names, your files stopped opening in associated programs and their icons became blank. If you encounter these problems, then your files have been encrypted, and your computer has become a victim of ransomware. Use our guide below to remove Reco and restore access to your files without having to pay ransom.
What the ransomware does. It encrypts files, after it changes their extension to ‘reco’. That is, if a file with the name image.jpg
was encrypted, then it will receive the name image.jpg.reco
. The ransomware can encrypt almost all files, it only passes files that are needed for the Windows OS to work. The following file types can be encrypted:
.rwl, .wma, .db0, .esm, .wmv, .wdb, .sis, .xlsx, .p12, .ws, .iwi, .x3f, .xxx, .wn, .3fr, .xld, .itl, .odt, .z, .bc6, .mov, .arw, .dba, .wbc, .ybk, .epk, .pfx, .slm, .zif, .hkx, .xyp, .sr2, .py, .ods, .rb, .zip, .avi, .bik, .ntl, .kf, .wav, .psd, .xyw, .odm, .wmd, .orf, .xlsx, .zdb, .bkp, .wp, .0, .xll, .x3d, .lbf, .xar, .wpg, .cdr, .vpp_pc, .wsc, .eps, .pdd, .zabw, .mpqge, .qdf, .dng, .dmp, .bkf, .xdl, .vcf, .arch00, .psk, .wpw, .r3d, .webp, .svg, .x, .itm, .xlsb, .itdb, .wb2, .ptx, .webdoc, .qic, .wp7, .wri, .yal, .xbplate, .dwg, .dbf, .3ds, .xmmap, .wp6, .raf, .sql, .zw, .gdb, .t12, .upk, .cas, .x3f, .vpk, .ztmp, .wsh, .wbz, .sidd, .cr2, .bay, .raw, .lvl, .txt, .7z, .docx, .wgz, .xbdoc, .lrf, .wsd, .wmf, .wcf, .sav, .wbd, .wotreplay, .m4a, .sum, .wps, .xpm, .fsh, .ysp, .cfr, .wm, .kdb, .sid, .srw, .rtf, .mp4, .3dm, .erf, wallet, .xls, .rar, .wpa, .xy3, .wps, .yml, .mddata, .t13, .bc7, .css, .snx, .tor, .xls, .xmind, .jpe, .big, .w3x, .pak, .1st, .odb, .2bp, .wpd, .pkpass, .ai, .apk, .wma, .wbm, .sidn, .p7c, .srf, .wot, .wpt, .doc, .xlk, .hvpl, .jpeg, .pptm, .pst, .wmv, .1, .fpk, .layout, .rofl, .wpb, .rgss3a, .wpd, .d3dbsp, .forge, .xf, .flv, .syncdb, .nrw, .mdb, .m3u, .ppt, .mdbackup, .gho, .mrwref, .odc, .wmo, .accdb, .bar, .zi, .indd, .hplg, .pptx, .js, .ff, .litemod, .pef, .odp, .cer, .png, .p7b, .m2, .pdf, .rim, .ltx, .sb, .mdf, .vdf, .blob, .wbmp, .zdc, .sie, .der, .jpg, .y, .das, .xlsm, .vfs0, .wire, .menu, .xlsm, .re4, .wp5, .zip, .xml, .xx, .mef, .z3d, .map, .fos, .ncf, .icxs, .mcmeta, .asset, .rw2, .dxg, .tax, .iwd, .dcr, .pem, .wp4, .ibank, .kdc, .crw, .xlgc, .crt, .desc, .wdp, .csv, .bsa, .mlx
Reco ransomware uses a very strong encryption mode and a long unique key. Therefore, it is impossible to decrypt files without a key. Even if you remove the new extension, it will not change anything. These files will remain encrypted. In each directory where there are encrypted files, the ransomware creates a file containing the ransom request. In the case of Reco, this file is called ‘_readme.txt’, its contents are given below.
ATTENTION!
Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-iBpEhjntw2
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.To get this software you need write on our e-mail:
gorentos@bitmessage.chReserve e-mail address to contact us:
gerentosrestore@firemail.cc
This file contains a message from Reco creators, in which they say that the only way to decrypt the files is to pay them a ransom of $980. Although the attackers do not leave a description of the payment method, this way is known. Most often, they require the victim to transfer the agreed amount anonymously using electronic money – bitcoins.
Threat Summary
Name | Reco ransomware |
Type | Crypto malware, File locker, Crypto virus, Filecoder, Ransomware |
Encrypted files extension | .reco |
Ransom note | _readme.txt |
Contact | gorentos@bitmessage.ch |
Ransom amount | $980, $490 in Bitcoins |
Symptoms | Your photos, documents and music now have a .reco file extension. Files called such as ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file. |
Distribution ways | Malicious email attachments. Exploit kits (cybercriminals use ransomware virus packaged in an ‘exploit kit’ that can find a vulnerability in Browser, Adobe Flash Player, Microsoft Windows operating system, PDF reader). Social media, like web-based instant messaging programs. Torrent web sites. |
Removal | To remove Reco ransomware use the removal guide |
Decryption | To decrypt Reco ransomware use the steps |
Quick links
- How to decrypt .reco files
- How to remove Reco ransomware
- How to restore .reco files
- How to protect your PC from Reco crypto virus?
- Finish words
How to decrypt .reco files
How to decrypt encrypted files – this is the question asked by everyone who is faced with the consequences of the Reco attack. Unfortunately, files cannot be decrypted at this time. Although Reco is a malware that is already the 170th version of one ransomware, security experts have not yet developed a decryptor that could help all the victims. But it is not all that bad. There are few options that can help you decrypt (restore) files:
Use Offline key to decrypt .reco files. As we already wrote, Reco uses a key to encrypt files. This key is unique, it cannot be cracked and you cannot use the key from another computer. Typically, Reco uses an online key that it receives from a control server, but in some cases, if this server is unavailable, the virus uses the so-called offline key. So, if in your case an offline key was used, then there is a chance that after a while it will be found, and then you will decrypt your files.
How to determine which key Reco used to encrypt files. First of all, you can look at the PersonaID that is given in the ‘_readme.txt’ file (ransom note).
Another way, look on disk ‘C’ for ‘SystemID/PersonaID.txt’ file. This is a file in which Reco stores the PersonaIDs used for encryption.
If there is an ID ending in ‘t1’, then you are lucky, your files are encrypted using an offline key, and when security experts find this key, you can decrypt .reco files.
If your PersonaID does not end with ‘t1’, then Reco used an online key. In this case, you only have one option left, to use tools that are created to recover data. In some cases, this method helps to recover some or even all encrypted files. We will talk about this method below.
Update: good news! A few days ago a free decryptor was released. Below I provide a link where you will find detailed information on where to download it and how to use it to decrypt .reco files.
STOP Djvu Ransomware Decryptor – Free way to decrypt encrypted files
How to remove Reco ransomware
Before you try to decrypt or restore .reco files, you need to check your computer for malware, find and remove ransomware. To remove Reco, we recommend that you use several malware removal tools. Be sure to check the computer with more than one tool, the reason is the same, you need to be sure that Reco is removed.
Run Zemana Anti-Malware (ZAM) to remove Reco ransomware
The first thing we recommend you start with is to use a malware removal tools that is called Zemana Anti-Malware. The reason is simple, this tool is small, has a fast and powerful scanner and is easy to use. It will help you find and remove Reco for free.
Visit the page linked below to download the latest version of Zemana Free for Windows. Save it directly to your Windows Desktop.
164114 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When downloading is finished, run it and follow the prompts. Once installed, the Zemana will try to update itself and when this procedure is complete, press the “Scan” button to perform a system scan for Reco ransomware, other malware, worms and trojans.
This procedure may take quite a while, so please be patient. While the utility is checking, you may see how many objects and files has already scanned. Make sure all items have ‘checkmark’ and press “Next” button.
The Zemana Free will start to uninstall Reco crypto malware and other security threats.
Run MalwareBytes to delete Reco ransomware virus
Another option is to use a malware removal tool called MalwareBytes. This tool is designed to detect and remove various types of malware, including ransomware such as Reco. And of course, all found threats, this tool will delete for free.
- Download MalwareBytes Free on your MS Windows Desktop from the link below.
Malwarebytes Anti-malware
326466 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- When downloading is complete, close all programs and windows on your PC system. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup.
- Further, press Next button and follow the prompts.
- Once installation is complete, press the “Scan Now” button . MalwareBytes AntiMalware program will scan through the whole system for Reco virus and other security threats. While the MalwareBytes Free program is scanning, you can see how many objects it has identified as threat.
- When MalwareBytes Anti Malware (MBAM) is done scanning your machine, MalwareBytes Anti-Malware (MBAM) will display a scan report. Make sure all threats have ‘checkmark’ and click “Quarantine Selected”. Once disinfection is complete, you can be prompted to reboot your system.
The following video offers a few simple steps on how to uninstall hijackers, adware software and other malicious software with MalwareBytes AntiMalware.
Run Kaspersky virus removal tool to remove Reco
The last option, but which we recommend to use, is to check the computer using Kaspersky virus removal tool (KVRT). Although this tool is in third place on our list, you should definitely use it. The reason is simple, KVRT uses one of the most powerful anti-virus engines.
Download Kaspersky virus removal tool (KVRT) on your computer by clicking on the following link.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the downloading process is complete, double-click on the KVRT icon. Once initialization process is complete, you will see the Kaspersky virus removal tool screen as shown in the following example.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next press Start scan button . KVRT tool will start scanning the whole PC system to find out Reco malware and other known infections. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your machine and the speed of your computer. While the KVRT utility is checking, you can see how many objects it has identified as being infected by malicious software.
When KVRT is done scanning your machine, Kaspersky virus removal tool will open a screen which contains a list of malware that has been detected like below.
Make sure to check mark the items that are unsafe and then click on Continue to begin a cleaning procedure.
How to restore .reco files
If you were unable to decrypt .reco files, or Reco used an online key to encrypt them, then today there is only one option that may help you recover encrypted files – use programs created to recover deleted or lost data. We recommend using ShadowExplorer and PhotoRec. Although of course you can try other programs. The main advantages of ShadowExplorer and PhotoRec are that these programs were tested by us and other experts in situations where it was necessary to recover data after a ransomware attack, and secondly, these programs are free.
What else we want to add, be sure to verify that Reco has been deleted before proceeding with the recovery of encrypted files.
Restore .reco encrypted files using Shadow Explorer
If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.
ShadowExplorer can be downloaded from the following link. Save it to your Desktop so that you can access the file easily.
438827 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the download is done, extract the downloaded file to a folder on your computer. This will create the necessary files as displayed below.
Start the ShadowExplorerPortable program. Now select the date (2) that you want to recover from and the drive (1) you wish to recover files (folders) from as displayed in the figure below.
On right panel navigate to the file (folder) you wish to restore. Right-click to the file or folder and click the Export button like below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Use PhotoRec to recover .reco files
The last, but most often helpful way to recover files is to use a free program called PhotoRec. This program can help you because it uses one feature of the Windows OS. When you delete any file, it is not deleted completely, the OS simply marks it as deleted. This program searches for such files and restores them. In the same way, PhotoRec can help you recover encrypted files.
Download PhotoRec on your Microsoft Windows Desktop by clicking on the link below.
Once downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a screen as shown on the screen below.
Select a drive to recover like below.
You will see a list of available partitions. Choose a partition that holds encrypted personal files as shown in the figure below.
Press File Formats button and choose file types to recover. You can to enable or disable the restore of certain file types. When this is finished, press OK button.
Next, click Browse button to select where restored photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where recovered photos, documents and music are stored. You will see a contents such as the one below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
Finish words
We hope this instruction helped you understand what Reco is, how to remove it and, most importantly, how to restore or decrypt .reco files. As we already said, if new ways to decrypt files appear, we will immediately inform about them. Therefore, I recommend subscribing to our Facebook page or bookmarking this article.
If you have questions or comments, write to us below.