Research on Redeemer 2.0 ransomware
Redeemer 2.0 ransomware is a data locking Trojan and file encryption ransomware. It uses decryption key to blackmail the victims and earn quick money illegally. The ransomware is mainly spread via spam email attachments which are disguised as important file to trick user to download and open it. Once Redeemer 2.0 ransomware is loaded on computer, all the files of user are renamed with a nasty extension and they cannot be opened at all. It is able to encrypt all types of files, including but not limited to:
.vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .wma, .wmf, .wmv, .wpd, .wps, .x11 , .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml,.xps, .xxx, .ycbcra, .yuv, .zip.iq, .incpas, .indd, .info, .info_, .ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p,.kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit, .litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4ts, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw , .mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .msf, .msg,.myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one , .orf,.ost, .otg, .oth, .otp, .ots, .ott,.1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf , .asm, .asp, .aspx, .asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt,.bik, .bin, .bkp, .blend, .bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw , .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf,. dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des, .design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps,.erbsql,.erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho, .gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif , .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm !, .pm, .pmi, .pmj, .pml, .pmm,.pmo, .pmr, .pnc, .pnd, .png, .pnx, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby , .qcow, .qcow2, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re4, .rm, .rtf, .rvt, .rw2, .rwl,. .sd, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .slm, .sql, .sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8,.stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tax, .tbb, .tbk,.tbn, .tex, .tga, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr
And you will get a ransom note left by Redeemer 2.0 ransomware in every folder of your files. It will let you know that you could pay ransom fees to exchange for the decryption key. And Redeemer 2.0 ransomware has collaborated the websites for bitcoins which are the main currency in the darknet. It ask victims to buy some bitcoins to pay for the decryption key so that there is no way to track the hacker.
We firmly suggest that you should not buy decryption key from the hacker. Many victims have been scammed by hacker before for similar ransomware. You get no any guarantee when you pay the ransom fees. Moreover, hacker will be funded to make more ransomware if you pay them. And then your files can be re-infected sooner or later by new ransomware.
You should first get rid of Redeemer 2.0 ransomware from computer and then consider to recover the files with legitimate decryption tools.
Step 1 – Uninstall malicious programs from Control Panel.
Ransomware may infect your system after you install some malicious programs. To avoid being re-infected, first you should uninstall malicious programs from your computer:
- 1. Press “Windows key + R key” together to open Run window
- 2. Input “control panel” in Run window and hit Enter key to open Control Panel
- 3. Click Uninstall a program:
- 4. Right-click programs which may be related with Redeemer 2.0 ransomware and click Uninstall:
Step 2 Find and remove malicious registry entries of Redeemer 2.0 ransomware or malicious program.
Note – In case any suspicious files, unwanted program, unwanted browser extension, or unwanted search engine cannot be removed manually, it is often caused by malicious program, which may adds files to registry or make changes in registry . Therefore, to uninstall such stubborn items, you need to find and remove malicious files in the Registry Editor. Check the steps below:
1. Press “Windows key + R key” together to open Run window;
2. Input “regedit” in Run window and hit Enter key to open Registry;
3. Click Edit menu and select Find >> Type virus’s name into it and click Find Next >> Right click on the files and click Delete (Only If you can determine that they are related with malware):
Step 3 Restoring the files encrypted by Redeemer 2.0 ransomware.
Do not pay any money to recover your files. Even if you were to pay the ransom, there is no guarantee that you will regain access to your files.
The right way to recover your files is to count on legitimate decryption tools. Here are websites of popular cybersecurity community, you can try the decryption tools shared on their sites:
EmsiSoft Decryptor (Free)
EmsiSoft is working on developing free decryptor for the newest ransomware. Currently it provide user with over 40 free and useful decryptors. Please visit https://decrypter.emsisoft.com/ to find and download the decrypter you need.
3. Trend Micro Decryptor (Free)
Trend Micro Ransomware File Decryptor tool is able to decrypt certain type of ransomware. Visit the download page here to follow its instructions to download and use the decryotor for free.
4. Avast Free Ransomware Decryption Tools
Avast free ransomware decryption tools can help decrypt files encrypted by the many types of ransomware. Go to this Avast page and download the decyptors for the latest ransomware.
5. Kaspersky Free Ransomware Decryptors
Kaspersky russian lab now provides many free decryptors. Visit Kaspersky page here and have a try .
6. NoMoreRansom Decryptors
The No More Ransom Project provides free decryption tools for lots of ransomware. Have a try on these tools at this page: https://www.nomoreransom.org/en/decryption-tools.html