Reha Ransomware

Would you be willing to pay a ransom in return for your files if someone snatched them? The attackers behind Reha Ransomware are hoping that you would because this malicious infection was created for the sole purpose of encrypting files. It does not look like it spies on victims, steals passwords, drops additional infections, or does anything else. Nonetheless, this malware is still pretty powerful, and that is because it hits the most vulnerable spot, personal files. The infection encrypts the files, which renders them unreadable, and if victims cannot read them, these files are as good as gone. This is when the attackers jump in and suggest that they can offer a tool that, allegedly, would restore files. Unfortunately, trusting the suggestions and promises of cybercriminals is extremely risky and, most likely, useless. That being said, perhaps you can recover your files or even replace them. We discuss this and the removal of Reha Ransomware in the report, and so if you are interested, continue reading.

As soon as Reha Ransomware was registered in our internal lab, it became obvious that this infection is a clone of Nbes Ransomware, Hets Ransomware, Kodc Ransomware, Mosk Ransomware, and many other infections that all derive from STOP Ransomware. The code of this malware was either made public, or the same attackers are building multiple infections to increase their chances of infecting more Windows systems. To infect systems, cybercriminals are most likely to exploit spam emails, bundled downloaders, and RDP vulnerabilities, which is something you need to keep in mind for the future if you want to avoid threats. After invasion, victims do not have much time to delete Reha Ransomware, and, in most cases, it encrypts all personal files without them suspecting a thing. The fact that files are encrypted is not hidden, and the “.reha” extension is added to mark them. Should you remove this extension? There is no reason to do that. If you want to restore files, you have to change the data of the files, and that is not something that can be done manually. The good news is that a free STOP Ransomware decryptor was created, and if you can employ it, there is a good chance that at least some of your files would be restored.

If you cannot use a free decryptor to free the files corrupted by Reha Ransomware, perhaps you have backups that could replace the encrypted files? With more and more file-encrypting threats emerging, saving copies of important documents and photos has never been more important. Use external hard drives and cloud storage systems to save copies, and even if you face ransomware again, you will not need to worry about the fate of your personal files. If you are not prepared, Reha Ransomware might convince you to do something very risky. Besides encrypting files, this malware also drops a ransom note file, called “_readme.txt.” The message inside declares that you can recover your files only if you contact the creator of the infection (at helmanager@firemail.cc/helmanager@iran.ir) and then pay a ransom that is set at 490 USD. Have you paid the ransom already? If you have, most likely, no tool has been sent back to you, and that is because cybercriminals are ready to tell you just about anything to make you give up your money. If you do not want to lose it, do not pay attention to the ransom message.

Can you delete Reha Ransomware manually? The answer to this question depends on your ability to identify malware files. If you cannot find the launcher – and we cannot know its location because we do not know how the threat invaded your system specifically – you will not be able to dele the threat manually. What should you do then? Well, in fact, even if you are ready for manual removal, we advise utilizing anti-malware software. Why? First of all, it will thoroughly scan your system to determine what threats exist, and note that the ransomware might run along with something else. Second, it will remove Reha Ransomware and all other threats that might exist automatically. Third, it will secure your system, which is important because, without protection, it could remain vulnerable to new infections. Of course, even if you secure your Windows operating system, you still need to protect files by backing them up, and you still need to be cautious about spam emails, bundled downloaders, and RDP vulnerabilities.

Reha Ransomware Removal

1. Delete the {unique name}.exe file that executed the threat (location/name are random).
2. Simultaneously tap Win and E keys to launch the Windows Explorer window.
3. Type %HOMEDRIVE% into the field at the top and tap Enter to access the folder.
4. Delete the folder called SystemID and the ransom note file called _readme.txt.
5. Move to %LOCALAPPDATA% (%USERPROFILE%\Local Settings\Application Data\ on Win XP).
6. Delete the folder with a random name that contains ransomware files.
7. Empty Recycle Bin and then quickly run a full system scan using a trusted malware scanner.