Redl file extension
.Redl file extension is an extension that uses the newest variant of STOP (djvu) ransomware to mark files that have been encrypted. Ransomware is malware created by criminals that restricts access to the victim’s files by encrypting them and demands a ransom for a pair of key-decryptor, necessary for decrypting files. Files encrypted with .redl extension become useless, their contents cannot be read without the key that the criminals have. Fortunately, there is a free decryptor, which in some cases can decrypt .redl files. It will be described in detail in this article.
Redl virus
Redl virus is the latest version of STOP ransomware, which was discovered by security researchers some days ago. This is already the is the 196th variant (v0196) of STOP ransomware. Like other variants, it encrypts all files on the computer and then demands a ransom for decryption. This virus encrypts files using a strong encryption method, which eliminates the possibility of finding a key in any way. For each victim, Redl uses a unique key with a small exception. If the virus cannot establish a connection with its command and control server (C&C) before starting the encryption process, then it uses an offline key. This key is the same for different victims, which makes it possible in some cases to decrypt files that were encrypted during the ransomware attack.
Redl has the ability to encrypt files of any type, regardless of what is in them. But it skips files with the extension: .ini, .dll, .lnk, .bat, .sys and files named ‘_readme.txt’. Thus, the following common file types can be easily encrypted:
.xls, .xlk, .odm, .odc, .wpl, .1, .pst, .wma, .kdc, .wsh, .y, .mlx, .xlgc, .wire, .zabw, .srw, .lbf, .flv, .sav, .ybk, .wmf, .ztmp, .xlsx, .svg, .dcr, .z, .rgss3a, .m2, .bay, .wcf, .rb, .fpk, .xml, .indd, .esm, .vfs0, .menu, .docx, .xbplate, .vtf, .desc, .wsc, .blob, .wbm, .ysp, .bar, .3dm, .qic, .crt, .ibank, .zi, .wri, .map, .itdb, .dmp, .1st, .pem, .pptm, .webdoc, .wpb, .wpe, .wbz, .sr2, .big, .wp5, .wm, .odt, .rim, .bkp, .xxx, .cr2, .arch00, .ws, .wpw, .rofl, .pptx, .wsd, .css, .itm, .cfr, .wav, .rar, .bsa, .mddata, .0, .wps, .dbf, .hvpl, .iwi, .hkdb, .3fr, .crw, .ff, .rwl, .raw, .wpd, .pfx, .epk, .p7b, .zw, .vdf, .tax, .rw2, .xdb, .db0, .kdb, .srf, .wpg, .itl, .rtf, .sb, .bc6, .m3u, .ncf, .wmd, .m4a, .wotreplay, .w3x, .mcmeta, .bkf, .ppt, .sum, .mpqge, .ntl, .accdb, .z3d, .xmmap, .wpt, .doc, .sie, .zdc, .vpk, .jpe, .cer, .cdr, .ai, .zif, .jpg, .mdf, .t12, .ptx, .wbmp, .wbc, .fos, .mef, .x, .gdb, .wgz, .zdb, .xls, .upk, wallet, .xy3, .webp, .p7c, .hkx, .layout, .xbdoc, .icxs, .pdf, .xpm, .txt, .xyp, .wp7, .xlsx, .dng, .mdbackup, .pkpass, .sid, .wb2, .mdb, .wbk, .snx, .psd, .wdp, .erf, .csv, .t13, .xld, .sidn, .odp, .xdl, .sidd, .yal, .vcf, .kf, .wma, .qdf, .mrwref, .fsh, .wot, .raf, .x3f, .hplg, .avi, .xwp, .wn, .sql, .gho, .ltx, .pdd, .wmv, .ods, .dazip, .vpp_pc, .wpa, .jpeg, .zip, .2bp, .d3dbsp, .odb, .7z, .eps
Each file that has been encrypted will be renamed. This means the following. If the file was called ‘document.docx’, then after encryption, it will be named ‘document.docx.redl’. Redl virus can encrypt files located on all drives connected to the computer. Therefore, files located in network attached storage and external devices can also be encrypted. It encrypts file by file, when all the files in the directory are encrypted, it drops a new file in the directory, which is called ‘_readme.txt’. Below is the contents of this file.
All directories with encrypted files have this file. But the contents of this file are the same everywhere. This file contains a message from Redl creators. In this message, the criminals report that all the files were encrypted and the only way to decrypt them is to buy a decryptor and key. Attackers demand a ransom of $490, if the victim does not pay the ransom within 72 hours, then the ransom will double to $980. Redl authors left two email addresses that the victim must use to contact them. To confirm the possibility of decryption, criminals offer to decrypt one file that does not contain important information for free. But it’s obvious that there is no guarantee that even by paying the ransom, the victim will be able to decrypt all files that have been encrypted.
Threat Summary
Name | Redl |
Type | Filecoder, Crypto virus, File locker, Ransomware, Crypto malware |
Encrypted files extension | .redl |
Ransom note | _readme.txt |
Contact | helpmanager@firemail.cc, helpmanager@iran.ir |
Ransom amount | $980,$490 in Bitcoins |
Detection Names | Trojan.Ransom.Stop, Trojan[Ransom]/Win32.STOP, Win32:MalwareX-gen [Trj], Win.Ransomware.Stop, W32/Kryptik.AGS, Trojan.TR/AD.InstaBot, W32/Stop, Ransom.Win32.Shade, Trojan.Stop.cd, Trojan-Ransom.Win32.Stop, Trojan.MalPack.GS, Trojan:Win32/Predator.PVD, Ransom_Stop.R023, Trojan.Win32.Z.Shade |
Symptoms | Your photos, documents and music have .redl extension appended at the end of the file name. Your file directories contain a ‘ransom note’ file that is usually a _readme.txt file. You have received instructions for paying the ransom. |
Distribution ways | Malicious e-mail spam. Malicious downloads that happen without a user’s knowledge when they visit a compromised webpage. Social media, such as web-based instant messaging programs. Malvertising campaigns. |
Removal | Redl virus removal guide |
Decryption | Free Redl Decryptor |
Redl authors claim that it is impossible to decrypt files that have been encrypted. Until recently, this was so. At the moment, with the advent of STOP (Redl) decryptor, in some cases you can decrypt files. This means that files can be decrypted if they are encrypted with the offline key that we talked about earlier. In all remaining cases, decryption is not yet possible. But there are several alternative ways that can allow everyone to recover the contents of encrypted files.
How to remove Redl ransomware virus & Decrypt .redl files
If your files were encrypted with Redl virus, we recommend using the following action plan, which will allow you to remove the ransomware and decrypt (restore) the encrypted files. Read this entire manual, then open it on your smartphone or print it. So it will be more convenient for you to carry out all the necessary actions.
Remove Redl ransomware virus
It is not recommended to immediately start decrypting or restoring files, this will be your mistake. This way is wrong. The best way is to go step by step: scan your computer for ransomware, detect and remove Redl virus, decrypt (recover) the encrypted files. To search for ransomware, we recommend using free malware removal tools. It is very important to use multiple malware removal tools to identify and remove Redl. Each of the used tools should be based on a different anti-virus (anti-malware) engine. This is the only way to make sure that the ransomware was found and completely removed.
Use Zemana to remove Redl
We recommend that you start the process of finding and removing Redl ransomware from a program called Zemana Anti-Malware. It is a malware removal tool, which is widely known among security experts and is often recommended by them. Zemana Anti-Malware is small in size, easy to use and can quickly scan your computer, find and remove ransomware, adware, trojans, worms, and other security threats. Immediately after the end of the scan, you can remove all found malware for free by simply clicking one button.
- Download Zemana on your Microsoft Windows Desktop from the link below.
Zemana AntiMalware
164108 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Run the downloaded file and follow the prompts.
- Once installed, click the “Scan” button. Zemana AntiMalware will start scanning the whole machine to find out Redl ransomware virus related folders,files and registry keys.
- In order to remove all found malware, simply press “Next” button.
Remove Redl with MalwareBytes Anti Malware
Another malware removal tool that we recommend using to remove Redl virus is MalwareBytes. After the tool is installed on the computer, you cann immediately check the computer, find and remove ransomware. As with Zemana Anti-Malware, MalwareBytes allows you to remove all found malware for free.
- Click the link below, then press the ‘Download’ button in order to download the latest version of MalwareBytes.
Malwarebytes Anti-malware
326461 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- After the downloading process is finished, close all windows on your PC, start the downloaded file named MBsetup.
- Follow the prompts and do not make any changes to default settings.
- Click the “Scan Now” button to scan through the whole system for Redl ransomware virus.
- Once MalwareBytes completes the scan, it will display a list of detected threats.
- Click “Quarantine Selected” button.
To learn more about How to use MalwareBytes to remove Redl virus, we recommend that you read the following guide: How to use MalwareBytes Anti-malware.
Use KVRT to remove Redl ransomware virus from the PC
Kaspersky virus removal tool (KVRT) is the third utility that we recommend using to check your computer for ransomware and make sure that Redl ransomware virus is removed. It is a completely free utility that is based on the core of the famous antivirus created by Kaspersky Lab. KVRT can detect and remove a variety of malware, including ransomware, trojans, worms, adware, spyware, browser hijackers and so on.
- Download Kaspersky virus removal tool from the following link.
Kaspersky virus removal tool
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
- Run the downloaded file.
- Click Start scan button to start scanning your computer for Redl crypto virus and other malicious applications.
- Once the scan get completed, KVRT will show a scan report.
- You may remove all found malware by simply press on Continue button.
To learn more about How to use Kaspersky virus removal tool to remove Redl ransomware, we recommend that you read the following guide: How to use Kaspersky virus removal tool.
How to decrypt .redl files
All files with the ‘.redl’ extension are encrypted. Their contents cannot be unlocked simply by removing this extension or completely changing the filename. To decrypt .redl files, you need a decryptor. Fortunately, Emsisoft has created a free decryptor called STOP Djvu decryptor.
To decrypt .redl files, use free STOP (Redl) decryptor
- Download STOP (Djvu) decryptor from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
STOP (Redl) decryptor is a free tool that allows everyone to decrypt .redl files for free. At the moment, the decryptor can only decrypt files that have been encrypted with an offline key. Unfortunately, if the files were encrypted with an online key, then the free decryptor is completely useless.
How to find out which key was used to encrypt files
Since STOP (Redl) decryptor only decrypts files encrypted with the offline key, each Redl’s victim needs to find out which key was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them.
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters that starts with ‘0195’ – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the virus used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Redl virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
What to do if STOP (Redl) decryptor says “Error: Unable to decrypt file with ID”
If during decryption of .redl files the decryptor reports ‘Error: Unable to decrypt file with ID’, skips files without decrypting them, then two cases are possible why this happens:
- files are encrypted with an ‘online key’, in this case, you need to use alternative methods to restore the contents of encrypted files;
- files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data;
Restore .redl files
As we already said, STOP (Redl) decryptor can only decrypt files encrypted using the so called ‘offline key’. What to do when files were encrypted with an online key? Even in this case, everyone has a chance to recover the contents of encrypted files. This is possible due to the existence of several alternative ways to restore files. Each of these methods does not require a decryptor and a unique key, which is in the hands of criminals. The only thing we strongly recommend that you perform (if you have not already done so) is to perform a full scan of the computer. You must be 100% sure that Redl virus has been removed. To find and remove ransomware, use the free malware removal tools.
Use ShadowExplorer to restore .redl files
The Windows OS (10, 8, 7 , Vista) has one very useful feature, it makes copies of all files that have been modified or deleted. This is done so that the user can recover, if necessary, the previous version of accidentally deleted or damaged files. These copies of the files are called ‘Shadow copies’. One tool that can help you recover files from the Shadow copies is ShadowExplorer. It is very small tool and easy to use. Unfortunately, ransomware often delete Shadow copies, thus blocking this method of recovering encrypted files. Nevertheless, be sure to try this method.
Download ShadowExplorer by clicking on the link below.
438814 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as on the image below.
Double click ShadowExplorerPortable to run it. You will see the a window as displayed on the screen below.
In top left corner, select a Drive where encrypted photos, documents and music are stored and a latest restore point as shown below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export like below.
Recover .redl files with PhotoRec
Another alternative way to recover encrypted files is to use data recovery tools. We recommend using a program called PhotoRec. This tool is free and does not require installation. Below we will show in detail how to use it to restore encrypted files.
Download PhotoRec by clicking on the link below.
After the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the screen below.
Double click on qphotorec_win to run PhotoRec for Windows. It will display a screen like the one below.
Select a drive to recover like the one below.
You will see a list of available partitions. Choose a partition that holds encrypted files as shown in the figure below.
Press File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is complete, press OK button.
Next, click Browse button to choose where recovered personal files should be written, then click Search.
Count of restored files is updated in real time. All restored documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is finished, press on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents similar to the one below.
All recovered photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC from Redl ransomware virus?
Most antivirus apps already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert. HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Visit the page linked below to download the latest version of HitmanPro.Alert for MS Windows. Save it to your Desktop.
Once the downloading process is complete, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the tool is opened, you will be displayed a window where you can choose a level of protection, as shown below.
Now press the Install button to activate the protection.
Finish words
This guide was created to help all victims of Redl ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .redl files; how to recover files, if STOP (Redl) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Redl related issues, go to here.
Very informative post. But this does not work for me. I have try with script and extension has been changed but not working or opening any file. Try recovery software , shadow and restore not found. Files infected with .redl and id key from last is t1.
Hassan, if your id ends in ‘t1’, then your files are encrypted with the offline key. The fact that the decryptor does not decrypt them so far only means that the security researchers have not yet discovered the key. As soon as the security researchers discover the key, they will add it to their server and the decryptor will download this key automatically. You need to wait and try to decrypt encrypted files from time to time.
0196Asd374y5iuhldSTPTWx6OGUhqTfii4yIzOyWeG4kjhjl3JN65oJUe i am victim of .redl file…
is it encrypted with an offline key? or Online ? Please Help Me…
The ‘0196Asd374y5iuhldSTPTWx6OGUhqTfii4yIzOyWeG4kjhjl3JN65oJUe’ IDs is related to an online key, so files cannot be decrypted. Try to restore the contents of encrypted files using the following guide: How to recover ransomware encrypted files.