Reco ransomware (Free Guide) - Removal Instructions

Reco virus Removal Guide

What is Reco ransomware?

Reco ransomware is the cryptovirus that affects pictures, documents and other files with encryption once it gets on the system

Reco ransomwareReco ransomware virus is the product of money-motivated people, so do not even consider paying the ransom. Reco ransomware – malware that infects the system and locks personal files found on the computer to demand payment in Bitcoin. Some victims claim that it spreads together with Bora – version originating from the same virus family. This crypto-extortion based threat focuses on file encryption and once that is done .reco gets added to the end of every file name. This file marker indicates which data got encoded and file placed on the desktop _readme.txt details what victims need to do to get their files back to a previous state. This is a version of the DJVU virus that got released in the first week of October, a few days after variants that use .noos and .boot extensions got discovered. Due to this fact that malware is associated with the criminal group, we don't recommend paying or contacting them via any platform.

Reco ransomware virus is almost the same as other versions in the family, but recent variants cannot get decrypted by researchers that previously developed STOP virus decrypter. Encryption process that got perfected recently affected this decryption method. Right now, files encoded by this threat can be either restored with third-party data recovery or using file backups stored on the remote device. There are some possibilities to get files recovered with the help of researchers by using their services, but that is either pricy or working with offline keys only. Nevertheless, we list everything that you can go through to find the perfect solution. You should be very careful with file recovery since the core file might be loaded in the system folder and encryption repeats itself again later.

Name Reco ransomware
Type Cryptovirus
Family Djvu/Stop virus
Contact information
File marker .reco is the appendix that gets added at the end of the file name and indicates encrypted data
Ransom note _readme.txt file contains instructions on further steps and states that victim need to pay to a particular Bitcoin address to get the opportunity of file restoring
Decryption possibilities
  • Unfortunately, when particular online keys get used to locking your data, decryption is merely possible. But once the offline keys are in use for encryption, you can try the method listed here.
  • A tool from Dr.Web researchers can also be helpful for DJVU virus versions.
Distribution Files infected with a malicious script gets loaded as email attachments or included in the software crack package. Various samples show that payload droppers get activated by downloading check codes for video games, pirated software
Damage This malware can alter settings on the machine, disable programs or delete certain files. Particular modifications may damage the device and affect file recovery later on
Elimination A thorough system scan using anti-malware tools can help remove Reco ransomware completely from the machine. You also would benefit from virus damage removal with FortectIntego

When it comes to crypto-extortion based threats like Reco ransomware, infiltration starts with a payload dropper which gets included in the pirated software packages from torrent sites or attached to emails with forged header information. Such spam emails trick you into believing that shipping or retail company is sending you notifications. However, when you believe that FedEx, DHL, or any other service contacted you, malware can freely get on the system. There is a need for triggering malicious macros[1] that get laced in the document or PDF.

Unfortunately, once that is done Reco ransomware loads on the machine and starts with file encryption immediately. Files in various formats get locked: mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, pdf, .pdd, .psd, .dbf, .mdf, pptm, .pptx, .ppt, .xlk, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt and then marked with .reco, that indicates the name and type of malware.

This typical cryptovirus then demands the payment from victims in a ransom note generated in a text file. Reco ransomware developers try to build trust with victims, so discount and test decryption for one file get offered. However, paying is not getting you anywhere.[2]

Reco ransomware ransom note shows the following text:


Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:

You should go straight to Reco ransomware removal and file recovery planing instead of contacting the extortionists or paying the hefty amount of $980 in Bitcoin. Experts[3] note that criminals are not concerned about your belongings and only focuses on getting money. Reco ransomware virusReco ransomware is the virus that encrypts personal documents and other files found on the computer.

Reco ransomware makes an effort to trick people into paying for the alleged decryption while this is not the best option. Previously, the official decryption tool was developed and updates once a new variant came out, but now that is useless for the other versions.

The first thing you can do when encountered the Reco ransomware or another virus is to check for decryptor:

However, when there is nothing officially created for this particular Reco ransomware virus, it is better to stay away and focus on malware elimination. There are a few other options when your files get encrypted using offline keys, a possible tool for some of your data.

But we recommend performing the automatic Reco ransomware removal when you store those encrypted files for the latter occasion. This can be dome with anti-malware tools and security software that helps to clean your device from virus damage, associated files, related programs.

Besides the encryption Reco ransomware can also place other files and programs, so you need to eliminate them all. When anti-malware tools like FortectIntego can manage to eliminate virus traces, some alterations may be left behind. Find a file loaded in C:\Windows\System32\drivers\etc\ and delete it to avoid further infection. For other instances when Shadow Volume Copies get eliminated, you should check the guide below. .reco files virusReco ransomware is the malware that marks files using .reco file extension, so the victim can see which data got encoded.

Research before you blindly rely on the source or software

Getting anything from the internet should raise more questions, especially when choosing the program provider or a website you get the software from. There are tons of websites related to suspicious providers or even sources like torrents, public pirating services. These providers are not disclosing the risk properly, so you cannot know about the cyber infection possibility.

Based on some malware samples, this version of the cryptovirus comes in torrent packs delivering:

  • video games;
  • game check codes;
  • pirated software;
  • tools for picture editing;
  • serial numbers of the licensed software or game versions.

Also, emails with false information about shipping details can trick the person into downloading infected file attachments. Pay attention to anything received on the email box and websites, services you use and visit constantly. Rely on official developers and providers instead of free pages.

Reco ransomware elimination is a difficult process, so make sure to use professional tools

Reco ransomware virus is the malware that alters functions and disables some tools, programs running on the system. There is no easy way to tackle all those alterations manually, so you need to check the machine for virus damage automatically with the help of anti-malware tools.

When you rely on Reco ransomware removal and employ proper software for that, you can follow the scan results and see what programs and files got detected as malicious. Choosing the right tool is not that difficult when you go for reliable sources.

Databases that get used by antivirus tools depend on many factors, anti-malware engines, for example, so when you remove Reco ransomware and need to make sure that threat is completely deleted, get FortectIntego, SpyHunter 5Combo Cleaner, or Malwarebytes and double-check again.

Terminate Reco ransom-demanding virus with the help of this video guide

This is the malicious program that spreads around via suspicious emails received from unknown senders that can load a few files on the machine at once. Unfortunately, software crack packages also deliver a bundle of files on the machine. To fully terminate this infection and get rid of the possible risks, you need to make sure that all parts of the virus, associated files and programs get deleted completely. The video shows you all the steps needed to take when you want to get back to a virus-free system, so follow them closely.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Reco virus. Follow these steps

Manual removal using Safe Mode

Reboot the machine in a Safe Mode with Networking, so you can eliminate Reco ransomware completely from the system without virus interuption

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Reco using System Restore

System Restore is the feature that allows recovering the machine in a [reviours state where Reco ransomware was not running

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Reco. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Reco removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Reco from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by Reco, you can use several methods to restore them:

Data Recovery Pro is the software allowing to get your files back to a useful stage

Once Reco ransomware encodes files they become useless and unopenable, so rely on this thrid-party program to get them back in use

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Reco ransomware;
  • Restore them.

Windows Previous Versions is the feature of your OS that helps as alternative for file backups

When you enable the System restore, Windows Previous Versions works for file restoring

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer feature for your file locked by Reco ransomware

When malware leaves Shadow Volume Copies alone, you can rely on ShadowExplorer

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption tool officially is not developed yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Reco and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

Removal guides in other languages