Rxx file extension
.Rxx file extension is a file extension that uses a new malware belonging to the Crysis/Dharma ransomware family to mark files that have been encrypted. Ransomware is a malicious program that encrypts user files and demands a ransom for a key-decryptor pair that is necessary to decrypt the affected files. Ransomware uses a strong encryption system and a long key, which virtually eliminates the possibility of decrypting files without a key. Files encrypted with .Rxx extension become useless, their contents cannot be read without the key that the criminals have.
Rxx virus
Rxx virus is one of the variants of Dharma/Crysis ransomware. This malware most often gets to the computer as part of other programs (torrents files, freeware, cracked apps and games) that have been downloaded by the user from the Internet. After its start, the virus begins to encrypt files using a key that is individual for each computer. Rxx virus uses a very strong encryption system, which eliminates the possibility of determining the key, even using a super computer. The encryption process is very fast, regardless of what is in the file, the virus can easily encrypt it. Rxx can encrypt almost all files that are on the computer, including those located on network drives. The only thing that the virus does not encrypt is the files that are necessary for the Windows OS to function normally. Below we list the types of files that can be encrypted by the ransomware.
.bkf, .mdb, .jpe, .xyp, .rim, .mddata, .itl, .upk, .kdc, .mpqge, .xml, .psd, .das, .odc, .mcmeta, .itdb, .xmmap, .bkp, .blob, .d3dbsp, .vpk, .zip, .xld, .png, .xlgc, .rgss3a, .wp4, .wbmp, .avi, .mdbackup, .xf, .der, .litemod, .xmind, .wbd, .ibank, .webp, .zabw, .xlsx, .re4, .webdoc, .odm, .ztmp, .cer, .wpt, .1st, .syncdb, .qic, .jpeg, .hkdb, .accdb, .xdl, .sb, .ai, .wp7, .ltx, .mef, .mdf, .iwd, .wp6, .wot, .hkx, .bc6, .itm, .desc, .dwg, .xbdoc, .wdb, .odb, .esm, .wpa, .rb, .sr2, .xyw, .cas, .apk, .vdf, .z, .db0, .xlsm, .zip, .pef, .mov, .rw2, .r3d, .sidn, .xls, .y, .ff, .css, .pem, .wpw, .asset, .wma, .xy3, .srf, .wpb, .xll, .tor, .psk, .pdd, .wcf, .wsd, .yml, .x, .wpl, .xbplate, .svg, .orf, .yal, .doc, .wp, .sis, .iwi, .xxx, .menu, .sid, .bsa, .wps, .erf, .rofl, .gdb, .layout, .fpk, .pkpass, .wma, .pst, .dbf, .py, .fsh, .x3d, .xdb, .wm, .cdr, .jpg, .ybk, .bik, .wp5, .dazip, .cr2, .arw, .kf, .sidd, .txt, .rar, .zi, .eps, .m4a, .icxs, .fos, .wpd, .xls, .lrf, .sql, .xpm, .wav, .docx, .rwl, .sie, .pfx, .sav, .3dm, .xx, .x3f, .ws, .bar, .odp, .wotreplay, .dcr, .indd, .crt, .wmv, .wri, .map, .wbk, .lvl, .wsh, .xlsb, .kdb, .t13, .ntl, .zw, .mrwref, .2bp, .csv, .vfs0, .wpd, .3ds, .pptm, .dmp, .3fr, .0, .xlk, .7z, .crw, .arch00, .p7b, .m3u, .js, .wps, .big, .wb2, .dng, .pptx, .srw, .p12, .flv, .wn, .t12, .wgz, .snx, .wmd, .wbm, .hplg, .xlsx, .wmo, .dba, .dxg, .wbz, .m2, .zdb
When the file is encrypted, ‘.id-USERID.[EMAIL-ADDRESS].Rxx’ is added at the end of its name, that is, if you had a file of ‘document.docx’, then a file with the name ‘document.docx.id-USERID.[EMAIL-ADDRESS].Rxx’ will appear in its place. If you change the file name, just delete the added extension, then nothing will change. The file will remain encrypted, and as before, this file will not be possible to open in the program with which it is associated.
Perhaps you found on your computer or its desktop a new file called ‘FILES ENCRYPTED.txt’, which for some reason is not encrypted. An example of such a file is given below.
all your data has been locked us
You want to return?
write email back_data@foxmail.com or getdecoding@protonmail.com
This file is very important, in addition to containing a ransom demand, it also contains information that allows you to contact intruders. According to the message, the victim is invited to contact the attackers using the given email address. In response, the authors of the virus will give a Bitcoin address to which the ransom must be transferred. Of course, you should understand that there is no guarantee that the attackers, after receiving the ransom, will provide you with the key necessary to decrypt your files. In addition, by paying the ransom, you will push attackers to create a new ransomware.
Threat Summary
| Name | Rxx |
| Type | Crypto virus, File locker, Crypto malware, Ransomware, Filecoder |
| Encrypted files extension | .rxx |
| Ransom note | FILES ENCRYPTED.txt |
| Contact | back_data@foxmail.com, getdecoding@protonmail.com |
| Ransom amount | $500-$1500 in Bitcoins |
| Detection Names | Trojan.Ransom.Crysis.E, Win32:RansomX-gen [Ransom], AI:Packer.D3B9457E1E, W32.RansomeDNZ.Trojan, Ransom.Crysis.A3, TrojWare.Win32.Crysis.D@6sd9xy, Win.Trojan.Dharma-6668198-0, Trojan.Encoder.3953, Win32.Trojan-Ransom.VirusEncoder.A, Trojan-Ransom.Win32.Crusis.to, Ransom.Crysis.Generic |
| Symptoms | Cannot open files stored on the computer. Windows Explorer displays a blank icon for the file type. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. Desktop wallpaper is changed to the ransom note. |
| Distribution ways | Malicious spam (also known as ‘malspam’). Malicious downloads that happen without a user’s knowledge when they visit a compromised webpage. Social media, like web-based instant messaging applications. Cybercriminals use suspicious advertisements to distribute malware with no user interaction required. |
| Removal | Rxx virus removal guide |
| Recovery | Rxx file recovery |
As we have already said, Rxx virus is not the first in its series. The fact that to date, antivirus companies have not created a way to decrypt files, and just have not found a 100% way to protect the user’s computers (otherwise how would you be on our site), indicates the complexity of the virus and the method that it uses to encrypt files. Nevertheless, you do not need to despair. There are several ways to find and remove Rxx ransomware, and there is also a chance to restore part or even all encrypted files to their original state. Below we will describe in detail how to do this.
How to remove Rxx virus & Restore .Rxx files
If you encounter the malicious actions of Rxx virus, and your files have been encrypted with ‘.Rxx’ extension, then you need to remove the virus or be 100% sure that there is no ransomware on your computer, and then proceed to restore the files. Both the virus removal process and the file recovery process will take a lot of time, so do not believe the magical instructions that say that this can be done very quickly. We definitely recommend, even if for some reason one of the methods proposed below did not suit you, try another one and try all of them. Perhaps one of them will help you. Feel free to ask questions in the special section on our website or in the comments below. In addition, we want to add that all the tools that we recommend using in our instructions are free and verified by security experts. And the last, before proceeding with the instructions, we advise you to read it thoroughly carefully, and then print or open it on a tablet or smartphone to have it always at hand.
How to remove Rxx ransomware virus
To remove the Rxx virus, we recommend using free malware removal tools, which we will consider below. You can use them in the same sequence as we gave, or in the order as you like. Perhaps you think that this virus can be removed manually by using some magic OS functions or by pressing a few keys. Probably a professional or computer specialist with great knowledge will be able to, but I recommend you use malware removal tools. They will do all the work for you, and most importantly they will prevent damage to system files that you might accidentally do. Of course, if you have an antivirus, you can use it first, but if it missed this ransomware, then your trust in it is greatly undermined.
How to remove Rxx with Zemana Anti-Malware
Zemana Anti-Malware is a program that is used for spyware, adware, ransomware virus, malicious software, worms, trojans and other security threats removal. The program is one of the most efficient antimalware tools. It helps in crypto virus removal and and defends all other types of malicious software. One of the biggest advantages of using Zemana Free is that is easy to use and is free. Also, it constantly keeps updating its virus/malware signatures DB. Let’s see how to install and check your personal computer with Zemana in order to remove Rxx from your PC.
Visit the following page to download Zemana Anti Malware (ZAM) installer named Zemana.AntiMalware.Setup on your machine. Save it to your Desktop so that you can access the file easily.
164978 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Start the installer after it has been downloaded successfully and then follow the prompts to install this utility on your PC.
During installation you can change some settings, but we recommend you don’t make any changes to default settings.
When installation is done, this malicious software removal utility will automatically start and update itself. You will see its main window like below.
Now press the “Scan” button to perform a system scan for the Rxx crypto malware, other malware, worms and trojans. When a threat is detected, the count of the security threats will change accordingly.
When that process is complete, Zemana Free will show a scan report. Next, you need to press “Next” button.
The Zemana Free will start to remove Rxx crypto malware and other security threats. When disinfection is complete, you can be prompted to restart your PC system to make the change take effect.
Use MalwareBytes to uninstall Rxx ransomware
You can remove Rxx automatically with a help of MalwareBytes Anti-Malware (MBAM). We advise this free malware removal tool because it can easily delete crypto malware, adware, malware and other unwanted programs with all their components such as files, folders and registry entries.
Installing the MalwareBytes is simple. First you’ll need to download MalwareBytes Anti-Malware by clicking on the following link.
327221 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the download is finished, close all windows on your computer. Further, start the file named mb3-setup. If the “User Account Control” dialog box pops up as shown on the screen below, click the “Yes” button.
It will open the “Setup wizard” that will allow you install MalwareBytes Free on the computer. Follow the prompts and do not make any changes to default settings.
Once installation is complete successfully, press Finish button. Then MalwareBytes Anti-Malware (MBAM) will automatically start and you can see its main window as displayed on the image below.
Next, press the “Scan Now” button . MalwareBytes Free program will scan through the whole computer for the Rxx crypto virus related folders,files and registry keys. Depending on your computer, the scan may take anywhere from a few minutes to close to an hour. When a malware, adware software or potentially unwanted applications are detected, the number of the security threats will change accordingly.
When finished, MalwareBytes will open you the results. Review the report and then press “Quarantine Selected” button.
The MalwareBytes will uninstall Rxx crypto malware related folders,files and registry keys and move items to the program’s quarantine. Once the process is complete, you can be prompted to restart your PC. We advise you look at the following video, which completely explains the procedure of using the MalwareBytes Free to uninstall hijackers, adware software and other malicious software.
Use KVRT to remove Rxx virus
If MalwareBytes antimalware or Zemana anti-malware cannot remove this crypto malware, then we suggests to run Kaspersky virus removal tool (KVRT). KVRT is a free removal tool for crypto malware, worms, spyware, trojans, adware software, PUPs and other malicious software.
Download Kaspersky virus removal tool (KVRT) on your personal computer from the link below.
129278 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you’ll see the Kaspersky virus removal tool screen as shown in the following example.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . KVRT program will scan through the whole PC for the Rxx ransomware and other malicious software. A system scan may take anywhere from 5 to 30 minutes, depending on your system.
When that process is complete, KVRT will produce a list of unwanted software and ransomware as on the image below.
Make sure all items have ‘checkmark’ and click on Continue to begin a cleaning procedure.
How to decrypt .rxx files
All files with the ‘.Rxx’ extension are encrypted. Their contents cannot be unlocked simply by removing this extension or completely changing the filename. Unfortunately, as we already reported in this article, there is currently no way to decrypt files. The reason for this is the complexity of the encryption algorithm that the authors of Rxx virus use. In principle, this is what the attackers sought. But this does not mean that you have no choice and you need to pay a ransom for your files.
Never pay the ransom! Any security expert will tell you this. Of course, there is a chance that by paying a ransom, Rxx virus authors will allow you to unlock your files, but there is no guarantee. Moreover, you should understand that when you pay a ransom, you unknowingly push the attackers to create new, even more destructive viruses.
Do not forget that besides you, thousands more people around the world have lost their files, that is, you are not alone. Antivirus companies, secuity experts are working on something that will allow you to decrypt .Rxx files. Perhaps in the future an universal method will be developed that will allow all victims to unlock all their data.
Of course, as soon as a way to decrypt the files appears, we will post a message about this to this article or to our facebook account. Therefore, we recommend that you follow the updates.
How to restore .rxx files
As we wrote above, you cannot decrypt files encrypted with this virus. But you can use a different way, there is a small chance to restore .Rxx files without decrypting them. Programs created for searching and recovering lost and deleted data can help you with this. We offer you to use the following free programs: PhotoRec and ShadowExplorer. Only two things that I want to say additionally. First, before restoring files, you must be 100% sure that there is no ransomware on the computer. We recommend using free malware removal tools that we examined in this article. Second, and what is very important! The less you use your computer after ransomware infection, the higher the chance that you will be able to recover encrypted files.
Restore .rxx encrypted files using Shadow Explorer
First of all, try to recover your files using a free tool called ShadowExplorer. This program will allow you to recover your files from Shadow Volume Copies. These copies are created automatically by the OS when you work with your files. Unfortunately, very often, the virus automatically deletes all these copies and thus prevents the user from recovering exnrypted files. Nevertheless, in some cases, the ransomware cannot delete all copies, and the user gets the opportunity to quickly restore all files. Therefore, our opinion, you should definitely try this method!
Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer on your MS Windows Desktop by clicking on the following link.
439619 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Once the download is done, extract the downloaded file to a folder on your computer. This will create the necessary files such as the one below.
Start the ShadowExplorerPortable program. Now choose the date (2) that you want to recover from and the drive (1) you wish to restore files (folders) from as on the image below.
On right panel navigate to the file (folder) you want to recover. Right-click to the file or folder and click the Export button as shown in the following example.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Recover .rxx files with PhotoRec
Another really working way to recover your encrypted files is to use a program named PhotoRec. It is created to recover deleted or lost files. Does the virus block this method? Fortunately, the Rxx virus cannot block it in any way. Why is this possible you ask. This is possible for the reason that when you delete files using the standard OS function, these files are not actually deleted. Just the Windows marks them as deleted and does not show them in the list of files. The program that we suggest you use, finds deleted files, including files that were deleted by the ransomware, and recovers them.
Download PhotoRec on your PC from the following link.
Once the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It will show a screen as displayed on the screen below.
Select a drive to recover as on the image below.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music such as the one below.
Click File Formats button and select file types to recover. You can to enable or disable the recovery of certain file types. When this is complete, click OK button.
Next, click Browse button to select where recovered files should be written, then click Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, click on Quit button. Next, open the directory where restored documents, photos and music are stored. You will see a contents as displayed below.
All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your personal computer from Rxx crypto malware?
Most antivirus applications already have built-in protection system against the crypto malware. Therefore, if your PC does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert. HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
HitmanPro Alert can be downloaded from the following link. Save it on your Desktop.
When the downloading process is done, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. When the tool is launched, you’ll be shown a window where you can choose a level of protection, as shown in the following example.
Now click the Install button to activate the protection.
To sum up
This guide was created to help all victims of Rxx ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to recover .Rxx files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Rxx related issues, go to here.
