Remk file extension
.Remk file extension is a file extension that is associated with the latest variant of STOP (Djvu) ransomware. Security researchers discovered ‘Remk’ version about a week after the previous one, which is called Foop. Like all other versions of STOP (Djvu) virus, Remk encrypts files and thus makes their contents inaccessible. Criminals offer victims to buy a decryptor and a unique key, which are needed to decrypt the affected files.
Fortunately for victims, in some cases .remk files can be decrypted. This can be done thanks to a free decryptor, which was created by a group of security researchers. This decryptor can decrypt files encrypted with all versions of STOP (Djvu) virus, including ‘Remk’ version. Read more about the Free Remk File Decrypt tool or and how to decrypt .remk files below in this article.
What is Remk virus
Remk virus is really a nasty malware. It infects the system when the user downloads or runs malware infected files. Criminals lure unwary users into downloading ransomware by hiding malicious code within cracked versions of paid software, free software, key generators, and so on. Upon execution, an instance of Remk virus is installed on victim’s computer.
Once installed on a computer, Remk encrypts files located on the drives connected to the computer. It uses a strong algorithm and a long key to encrypt files. If, before encrypting the files, Remk virus was able to establish a connection with its command-and-control (C&C) server, then it uses so called ‘online key’ that is unique to each infected computer. In case when Remk virus cannot connect to its command server, it uses the so-called offline key. This key, unlike the online key, is the same for all infected computers and can be determined by security researchers.
In the process of encrypting files, Remk virus tries to encrypt all files on the computer, therefore, to speed up the encryption process, it does not encrypt all the contents of the files, but only the first 154kb. At the same time, there are files that the virus does not encrypt: files located in the Windows system directories, files with the extension .bat, ini, .sys, .dll, .lnk and files with the name ‘_readme.txt’. All other files can be encrypted, regardless of where they are located: on the internal disk, external device or cloud storage. Thus, the following common file types can be encrypted:
.wsc, .wma, .icxs, .itl, .xlgc, .png, .accdb, .ybk, .m2, .xbdoc, .rtf, .lbf, .3ds, .xls, .cas, .wp6, .z3d, .vpk, .map, .odm, .dwg, .pdd, .xlk, .ff, .arch00, .vdf, .ztmp, .big, .pdf, .vpp_pc, .1, .1st, .wbmp, .dazip, .ai, .kdc, .xwp, .xf, .qic, .zi, .2bp, .xlsm, .x3d, .docx, .wm, .snx, .mdbackup, .jpe, .wp4, .wps, .jpg, .mlx, .bc6, .dbf, .menu, .bkf, .psd, .mdf, .wbm, .ntl, .blob, .zdb, .epk, .mp4, wallet, .pef, .t12, .psk, .wpb, .odp, .wpd, .wcf, .rar, .pst, .jpeg, .layout, .wps, .mdb, .sis, .dng, .sidn, .mrwref, .itm, .ltx, .ws, .wn, .csv, .der, .wri, .wgz, .wpl, .gho, .wmo, .3dm, .pkpass, .x3f, .sql, .desc, .bar, .doc, .xls, .re4, .indd, .ysp, .mov, .erf, .vtf, .zip, .wav, .itdb, .sie, .ibank, .crw, .r3d, .xlsm, .ptx, .xld, .7z, .lvl, .wb2, .ppt, .sidd, .avi, .mpqge, .y, .vcf, .kdb, .txt, .iwd, .rwl, .pak, .srw, .litemod, .flv, .sav, .tax, .wdb, .x, .xpm, .xx, .esm, .docm, .d3dbsp, .asset, .ods, .dxg, .xlsb, .syncdb, .xdl, .wpe, .zw, .sr2, .wma, .zabw, .slm, .0, .bay, .srf, .p7b, .xxx, .tor, .xyw, .py, .wmv, .wp5, .lrf, .svg, .db0, .xlsx, .rw2, .yml, .wire, .forge, .zdc, .hkx, .cer, .z, .crt, .rim, .wdp, .wbc, .wp7, .xyp, .rofl, .mcmeta, .mef, .arw, .odc, .dcr, .p12, .orf, .wbk, .wpa, .xy3, .xll, .wmv, .yal, .pfx, .pptx, .wp, .wbd, .sum, .m4a, .p7c, .wpt, .nrw, .sid, .upk, .das, .hkdb, .bsa, .wsh, .zif, .wbz, .pem, .hvpl, .bkp, .3fr
Each encrypted file receives a new name, Remk virus appends the extension ‘.remk’ at the end of the file name. Thus, if the file was called ‘image.jpg’ before encryption, then after it is encrypted it will be called ‘image.jpg.remk’. In each folder where the virus encrypted one or more files, it drops a file with the name ‘_readme.txt’.
This file is a ransom demand message. In this message, the authors of Remk virus report that the victim’s files were encrypted and if the victim wants to decrypt them, then he needs to buy a decryptor and a key. Attackers demand to pay them $980, if the victim is ready to pay the ransom within 72 hours, then the size of the ransom is halved to $490. Criminals offer the victim to decrypt one small file for free to confirm the possibility of decrypting .remk files. Obviously, if the criminals were able to decrypt one file, then this does not guarantee that after receiving the ransom they will give the victim the key and the decryptor.
Threat Summary
Name | Remk |
Type | File locker, Crypto virus, Crypto malware, Filecoder, Ransomware |
Encrypted files extension | .remk |
Ransom note | _readme.txt |
Contact | helpdatarestore@firemail.cc, helpmanager@mail.ch |
Ransom amount | $490/$980 in Bitcoins |
Detection Names | Trojan.Win32.Stop.j!c, Trojan.Ransom.Stop, Ransom.Stop, Trojan.DownLoader33.15497, Trojan.GenericKD.33533904 (B), Generic.mg.02e00de4670422f0, Win32/Kryptik.HBUK, W32/GenKryptik.HBUR!tr, Trojan.Stop.dq, Trojan.MalPack.GS, Trojan-Ransom.Win32.Stop.lc, Trojan:Win32/RanumBot.GA!MTB, BehavesLike.Win32.SoftPulse.bc |
Symptoms | Unable to open personal files. Your photos, documents and music now have different extensions that end with something like .locked, .crypted or .cryptor. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. New files on your desktop, with name variants of: ‘HOW_TO_DECRYPT.txt’, ‘DECRYPT.txt’ or ‘README.txt’. |
Distribution ways | Phishing email scam that attempts to scare users into acting impulsively. Drive-by downloads from a compromised website. Social media, such as web-based instant messaging programs. Misleading websites. |
Removal | Remk virus removal guide |
Decryption | Free Remk File Decrypt tool |
The message left by the creators of Remk virus says that files cannot be decrypted without a key and a decryptor. Unfortunately, security researchers confirm that a decryptor and a unique key are required to decrypt files.
As we reported above, fortunately a free decryptor was created. Remk File Decrypt tool can decrypt .remk files that were encrypted with an offline key. If the files were encrypted with an online key, then they cannot be decrypted, but there are several ways that could help everyone recover the contents of the encrypted files.
How to remove Remk virus, Recover, Decrypt .remk files
If your computer was infected with Remk virus and the files on it were encrypted, then you need to follow a few steps that will help you find and remove the virus, decrypt .remk files or restore their contents. Before decrypting or recovering files, be sure to check your computer for malicious software. Read carefully the entire instructions below, print it, or open it on your smartphone. This will allow you not to miss anything important.
- How to remove Remk ransomware
- How to decrypt .remk files
- How to restore .remk files
- How to protect your system from Remk crypto virus
How to remove Remk ransomware
The first thing you should do before decrypting or recovering .remk files is to scan the system for malware and other security threats. This step cannot be skipped, because if Remk virus is not completely removed from the computer, it will continue its malicious actions. In order to find all malware components and remove them from the system, we recommend using free malware removal tools. The best option is to first update your antivirus and perform a full scan, then use the free malware removal tools listed below to scan the system for malicious software and remove the found malware. It is advisable to use not one malware removal tool, but two or more, so you will significantly increase the chance of malware detection.
Run Zemana AntiMalware (ZAM) to remove Remk virus
Zemana Free highly recommended, because it can search for security threats such Remk crypto malware, other malicious software and trojans which most ‘classic’ antivirus apps fail to pick up on. Moreover, if you have any Remk removal problems which cannot be fixed by this tool automatically, then Zemana AntiMalware provides 24X7 online assistance from the highly experienced support staff.
Download Zemana on your Windows Desktop from the link below.
163872 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After downloading is finished, close all windows on your system. Further, start the install file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as on the image below, press the “Yes” button.
It will open the “Setup wizard” that will help you install Zemana Free on the system. Follow the prompts and do not make any changes to default settings.
Once installation is done successfully, Zemana Anti-Malware will automatically launch and you can see its main window as displayed in the following example.
Next, click the “Scan” button to perform a system scan for the Remk virus, other malicious software, worms and trojans. This process can take some time, so please be patient. During the scan Zemana Free will scan for threats exist on your machine.
When finished, Zemana AntiMalware (ZAM) will show a scan report. Review the scan results and then click “Next” button.
The Zemana Anti-Malware (ZAM) will uninstall Remk crypto malware, other kinds of potential threats like malware and trojans and move threats to the Quarantine. Once disinfection is finished, you can be prompted to reboot your PC.
Remove Remk with MalwareBytes
We recommend using the MalwareBytes Anti Malware (MBAM) that are fully clean your computer of the ransomware. This free tool is an advanced malicious software removal program created by (c) Malwarebytes lab. This program uses the world’s most popular anti-malware technology. It’s able to help you remove crypto virus, potentially unwanted software, malicious software, adware software, toolbars, and other security threats from your PC system for free.
Installing the MalwareBytes is simple. First you will need to download MalwareBytes Anti Malware (MBAM) on your personal computer by clicking on the link below.
326196 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once downloading is complete, close all applications and windows on your PC system. Double-click the set up file named mb3-setup. If the “User Account Control” dialog box pops up as shown in the figure below, click the “Yes” button.
It will open the “Setup wizard” which will help you install MalwareBytes AntiMalware on your PC system. Follow the prompts and don’t make any changes to default settings.
Once install is done successfully, press Finish button. MalwareBytes AntiMalware will automatically start and you can see its main screen as on the image below.
Now click the “Scan Now” button to scan for Remk ransomware virus, other kinds of potential threats like malware and trojans. A system scan can take anywhere from 5 to 30 minutes, depending on your personal computer. When a malicious software, adware or PUPs are found, the number of the security threats will change accordingly. Wait until the the scanning is complete.
When MalwareBytes AntiMalware (MBAM) is done scanning your PC system, MalwareBytes Free will show a list of all threats found by the scan. Review the results once the utility has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply press “Quarantine Selected” button. The MalwareBytes Anti-Malware (MBAM) will remove Remk crypto virus, other kinds of potential threats like malicious software and trojans and move threats to the program’s quarantine. When the process is finished, you may be prompted to reboot the PC.
We recommend you look at the following video, which completely explains the procedure of using the MalwareBytes Anti-Malware to delete adware, hijacker and other malicious software.
Remove Remk ransomware from PC with KVRT
If MalwareBytes anti malware or Zemana anti malware cannot delete this crypto virus, then we recommends to use Kaspersky virus removal tool (KVRT). KVRT is a free removal tool for ransomware, worms, spyware, trojans, adware, potentially unwanted apps and other malicious software.
Download Kaspersky virus removal tool (KVRT) on your computer by clicking on the following link.
128995 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you’ll see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to begin scanning your computer for the Remk crypto malware and other malware.
When Kaspersky virus removal tool is finished scanning your computer, Kaspersky virus removal tool will display a scan report as shown on the image below.
Review the results once the utility has finished the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click on Continue to begin a cleaning task.
How to decrypt .remk files
Files with the .remk extension are encrypted and to decrypt them you must use a decryptor and a unique key. You cannot unlock these files simply by deleting the new extension or changing their file name. Fortunately, there is a free decryptor. STOP Djvu Decryptor (Remk File Decrypt tool) is a program that can decrypt .remk files.
To decrypt .remk files, use “Remk File Decrypt tool”
- Download Free Remk File Decrypt tool from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
As we said above, Remk virus can use two types of keys to encrypt files: online keys and offline keys. Emsisoft company found a way to determine offline keys, so at the moment this decryptor can only decrypt files encrypted with offline keys. If the files are encrypted with an online key, then they cannot be decrypted yet, since only the authors of the ransomware have the encryption key.
This does not mean that if your files are encrypted with an online key, then their contents are lost forever. Fortunately, there are several ways to recover encrypted files. These methods do not involve the use of decryption and therefore can be used in any case, regardless of what type of key the files were encrypted.
How to find out which key was used to encrypt files
Below we show two ways to help you determine what type of key was used to encrypt your files. This is very important, since the type of key determines whether it is possible to decrypt .remk files. We recommend using the second method, as it is more accurate.
Find out the type of key using ‘_readme.txt’ file
- Open the ransom demand message (‘_readme.txt’ file).
- Scroll down to the end of the file.
- There you will see a line with the text ‘Your personal ID’.
- Below is a line of characters – this is your personal id.
Find out the type of key using ‘PersonalID.txt’ file
- Open disk C.
- Open directory ‘SystemID’.
- Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the Remk virus used to encrypt files.
The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Remk ransomware virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.
What to do if STOP (Remk) decryptor says “No key for New Variant offline ID”
If during decryption of .remk files the decryptor reports No key for New Variant offline ID, then this means the following: your files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data. It is impossible to say exactly when the ‘offline key’ will be determined. Sometimes it takes several days, sometimes more. We recommend that you try to decrypt .remk files from time to time. You can also use alternative ways listed below for recovering encrypted data.
What to do if STOP (Remk) decryptor says “No key for New Variant online ID”
If, when you try to decrypt .remk files, the decryptor reports No key for New Variant online ID, then this means that your files are encrypted with an ‘online key’ and their decryption is impossible, since only the Remk authors have the key necessary for decryption. In this case, you need to use alternative methods listed below to restore the contents of encrypted files.
How to restore .remk files
Fortunately, there are several simple ways that give everyone a chance to recover the contents of encrypted files. The methods presented below can help in cases when a free decryptor cannot decrypt .remk files or when files are encrypted with an online key.
Alternative methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it remkt now, use free malware removal tools or return to step 1 above.
Use shadow copies to recover .remk files
Now proceed to recover .remk files. We hope you have already completed all the steps that we discussed above. First of all, try to recover encrypted files using a free tool called ShadowExplorer. This program will allow you to recover your files from Shadow Volume Copies. These copies are created automatically by the Windows OS when you work with your files.
Unfortunately, Remk virus can automatically delete these copies and thus prevent you from recovering your files. Nevertheless, in some cases, the ransomware cannot delete all copies, and the user gets the opportunity to quickly restore all files. Therefore, you should definitely try this method!
Installing the ShadowExplorer is simple. First you’ll need to download ShadowExplorer from the link below.
438221 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed on the image below.
Start the ShadowExplorer tool and then choose the disk (1) and the date (2) that you want to recover the shadow copy of file(s) encrypted by the Remk crypto malware as shown below.
Now navigate to the file or folder that you want to recover. When ready right-click on it and click ‘Export’ button as displayed in the figure below.
Use PhotoRec to recover .remk files
Another really working way to recover .remk files is to use a free tool named PhotoRec. It is created to recover deleted or lost files. Does the virus block this method? Fortunately, Remk virus cannot block it in any way. Why is this possible you ask. This is possible for the reason that when you delete files using the standard OS function, these files are not actually deleted. Just the Windows marks them as deleted and does not show them in the list of files. The program that we suggest you use, finds deleted files, including files that were deleted by the ransomware, and recovers them.
Download PhotoRec on your system by clicking on the following link.
After the downloading process is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll display a screen as displayed below.
Choose a drive to recover as shown in the following example.
You will see a list of available partitions. Choose a partition that holds encrypted personal files as shown on the image below.
Press File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is complete, press OK button.
Next, click Browse button to select where restored photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All restored personal files are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is finished, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as displayed in the following example.
All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your system from Remk crypto virus?
Most antivirus applications already have built-in protection system against the ransomware virus. Therefore, if your machine does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert. HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Download HitmanPro.Alert on your system by clicking on the following link.
Once downloading is done, open the file location. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the tool is opened, you will be shown a window where you can select a level of protection, as displayed in the figure below.
Now click the Install button to activate the protection.
Finish words
This guide was created to help all victims of Remk ransomware virus. We tried to give answers to the following questions: how to remove ransomware; is there a Free Remk File Decrypt tool; how to decrypt .remk files; how to recover encrypted files, if STOP (Remk) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Remk related issues, go to here.