Severity scale:  

Remove RekenSom ransomware (Removal Instructions) - Recovery Instructions Included

removal by Olivia Morelli - - | Type: Ransomware

RekenSom ransomware – a crypto-malware asks for 0.015 BTC for file redemption

RekenSom ransomwareRekenSom ransomware is a file locking virus that is still in a development

RekenSom ransomware, otherwise known as Ghack ransomware, is a file locking virus that was first spotted by security researchers in mid-March 2020. Just like any other malware of such type, it will encrypt pictures, videos, documents, and other data on the host system with the help of a strong encryption algorithm (AES and RSA)[1] and then demands a ransom for the decryption tool that would allow victims to access it once again. Besides adding an extension, the RekenSom virus also scrambles the names of files, making them unrecognizable.

Currently, there are two different versions of RekenSom ransomware – ope appending .RekenSom extension, while the other one – .som (in some cases, the malware will also delete files instead of encrypting them). After the data locking process, it will drop a pop-up window named “Form1,” which informs victims that they need to pay 0.015 Bitcoin in order to recover access to their data. Instead of providing an email address, cybercriminals behind RekenSom ransomware instead use Telegram for communication purposes (@Rekensom).

Name RekenSom ransomware
Type File locking virus, crypto-malware
Family  Cute/MyLittleRansomware > KRider
Encryption method

All non system files and non executables are appended in different ways, depending on version:

  • [randomstring].RekenSom
  • Encrypted[number_of_dashes].som
Related files Reken.exe, FinalReken.exe, GHack.exe, WindowsFormsApplication8.exe, secretAES.txt, secret.txt, sendBack.txt
Ransom note  First few samples of malware did not include a ransom note or showed a pop-up including just a numpad. The most recent variant (.som) delivers a pop-up window called “Form1” which explains the situation to victims in detail
Contact In the ransom note, crooks ask users to first pay the ransom and then contact them via Telegram @Rekensom
Ransom size 0.015 Bitcoin. According to crooks, if this payment will not be performed within 24 hours, decryption key will be deleted 
Bitcoin wallet 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX
Data recovery  Without backups, there is not a safe and 100% working method of data recovery. Paying cybercriminals is very risky, as they might never deliver the required decryption tool. You can find alternative approaches that might be able to help you to retrieve access to at least some of your files below. Before you attempt this, ensure you make a copy of all the locked data
Malware removal  To get rid of the infection, you should scan the machine with powerful anti-malware software
System fix In case Windows is malfunctioning after you eliminate the malware, repair virus damage with Reimage Reimage Cleaner Intego

While there is no RekenSom ransomware decryptor currently available that would help you recover your files for free, you should not rush to pay the ransom or contact the criminals. It is yet unclear what type of cybercriminals are behind this strain and whether they are willing to provide the required decryption tool after the payment is made. Instead, you should remove RekenSom ransomware and then attempt to retrieve your files using different methods that we list in our recovery section below.

If RekenSom ransomware removal is not performed, your data will be encrypted repeatedly. Nevertheless, it is also important to make a copy of files that were affected by malware first, as any type of action might permanently damage them. As for termination of the virus, you can employ anti-malware tools that recognize the infection under the following names:[2]

  • Generic.Ransom.Hiddentear.A.5F086186
  • MSIL.Trojan-Ransom.Cute.B
  • Ransom:MSIL/Rekensom.AA!MTB
  • HEUR:Trojan-Ransom.MSIL.Encoder.gen
  • Win32:Trojan-gen
  • A Variant Of MSIL/Filecoder.BQ, etc.

In case RekenSom ransomware termination affected your computer in negative ways, and you are experiencing lags, crashes, random reboots, BSODs, and similar issues, use repair software Reimage Reimage Cleaner Intego to fix virus damage at once.

RekenSom ransomware detection rateRekenSom ransomware can be stopped with the help of many powerful anti-malware programs

RekenSom was still in development

It is believed that RekenSom ransomware stems from an old malware family – KRider, although its initial actions pointed at the fact that it was still under active development. First samples of the malware that were spotted in the wild did not provide any ransom note. Later on, cybercriminals added a lockscreen that would only include a number pad – allegedly where some type of code should be inserted. Nevertheless, no contact info was provided, so there was no way of finding out what the password was. Additionally, the first few samples of the RekenSom virus only encrypted data on the desktop.

Typically, ransomware uses a secure encryption algorithm (either symmetric or asymmetric, or a combination of those) to lock all data on the device, and assigns each victim with a unique ID. This identifier is then sent over to the Command $ Control server, along with the decryption key that is needed to unlock files. RekenSom ransomware failed to contact its servers and deliver the key at first.

Finally, with the .som variant of RekenSom ransomware, a meaningful ransom note was found – named Form1. It informed users that their files have been encrypted with the RSA-2048 algorithm and that users only have 48 hours to deliver the payment of 0.015 BTC to the attackers. The ransom note states:

What happened to my files?
Your personal files, including your photos, documents, videos and other important files on this computer, have been encrypted with RSA-2048, a strong encryption algorithm. RSA algorithm generates a public key and a private key for your computer. The public key was used to encrypt your files a moment ago. The private key is necessary for you to decrypt and recover your files. Wm, your private key is stored on our secret Internet server. And there is no doubt that no one can recover your files without your private key.

How to decrypt my files?
To decrypt and recover your files, you have to pay 0.015 BTC (Bitcoin) for the private key and decryption service. Note that you ONLY have 24 hours to complete your payment. If your payment is not completed within time limit, your private key will be deleted automatically by our server. All your files will be permanently encrypted and nobody can recover them. Therefore, it is advised that you'd better not waste your time, because there is no other way to recover your files except making a payment

How to pay for my private key?

How to pay for my private key There are three steps to make a payment and recover your files.
1. For the security of transactions, all the payment must be completed via Bitcoin network This, you need to exchange some money to 0.015 Bitcoin, and then send it to the following receiving address:

For futher information about BTC, please refer to the net “Payment Tab”.
2. After making a payment with BTC, please send your personal ID to out TELEGRAM: @Rekensom

Your personal ID:

3. You will recieve a decrypt key to recover all your files
please keep checking your TELEGRAM.



WARNING: If you close this window your files will be deleted for ever.
just warning you

As evident, crooks claim that the decryption key will be deleted if the demands are not fulfilled in time – this tactic makes users act more quickly rather than think of other methods of retrieving data. Indeed, currently, there is no decryption tool that would recover data locked by RekenSom virus for free, but paying criminals is very risky. Hence, try using alternative methods we provide below instead.

RekenSom ransomware virusRekenSom ransomware is malware that uses AES + RSA to lock all files on the infected system

Before encrypting files, RekenSom ransomware also performs a variety of changes to the Windows machine, such as modifications to the registry database, deletion of Shadow Volume Copies, insertion of malicious files, etc. In fact, the malware has a module that allows the attackers to steal information from the computer. Thus, never type anything or visit online banking, social media, or similar sites that require you using your personal details, as they could be stolen by cybercriminals behind RekenSom.

Threat actors can employ multiple different methods to deliver ransomware to victims

Malware delivery methods vary – it highly depends on the business model operated by crooks. For example, one of the most prominent ransomware families Djvu is distributed via software cracks and pirated software installers exclusively – it manages to infect hundreds of users daily. In the meantime, other strains such as Nemty/Nefilim or Dharma use multiple attack vectors[3] to infect victims worldwide.

Since new ransomware samples emerge almost every day, it is not always known what the main distribution tactic is. Therefore, to protect yourself from the most devastating malware type around, keep in mind the following things:

  • Watch out for spam emails – attachments or obfuscated hyperlinks may be infectious so ensure that the email is legitimate first;
  • Equip your computer and networks with reputable anti-malware software with real-time protection feature;
  • Patch your operating system and the installed programs as soon as the updates are released;
  • Use strong passwords to protect your accounts – especially Remote Desktop connection (while using it, employ a VPN);
  • Never download software cracks/keygens/loaders, etc.;
  • Backup your most important files regularly – this could prevent most of the negative consequences of the infection!

Finally, the most important thing is to be careful and act responsibly when browsing the web and checking the email. If in doubt – do not enter the site, do not click on links, and seek help on tech forums or security blogs instead.

Terminate RekenSom virus infection and only them attempt to recover data

Malicious actors behind the RekenSom virus claim that you will not be able to recover data if you close the pop-up window “Form1” that shows the timer. Therefore, it is important not to perform any actions before copying the encrypted data over to a secure environment where the malware will no longer be capable of destroying it. Thus, use a USB flash driver or a virtual drive like Dropbox to make a copy of your files. Then, proceed with RekenSom ransomware removal (note that this is only applicable to victims that do not have backups to recover data from).

RekenSom ransomware encrypted filesTo recover data encrypted RekenSom virus, crooks ask to pay 0.015 Bitcoin

To remove RekenSom ransomware from your machine, you should employ a reputable anti-malware program of your choice. In case the virus is tampering with it, access Safe Mode with Networking and perform a scan from there – you can find the instructions on how to do that below. Finally, use alternative methods to recover your data, although keep in mind that they might not always be successful, unfortunately.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove RekenSom virus, follow these steps:

Remove RekenSom using Safe Mode with Networking

Use Safe Mode with Networking if malware is interfering with your security software:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove RekenSom

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete RekenSom removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove RekenSom using System Restore

Safe Mode is another method to get rid of the infection:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of RekenSom. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that RekenSom removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove RekenSom from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by RekenSom, you can use several methods to restore them:

Make use of Data Recovery Pro software

This third-party tool might be able to retrieve at least some of your files on your hard drive (note that chances diminish upon using your computer more).

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by RekenSom ransomware;
  • Restore them.

Windows Previous Versions feature might help you recover .RekenSom or .som files

If you had System Restore enable before the virus attacked, you could try using Windows Previous Versions feature.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer method might be useful

If the RekenSom file virus failed to delete Shadow Volume Copies, this tool should be able to recover your data for free.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryption tool is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from RekenSom and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions


Your opinion regarding RekenSom ransomware