Repg ransomware (Decryption Methods Included) - virus

What is Repg ransomware?

Repg ransomware – a powerful computer virus that restricts access to non-system files

The virus locks data to have a purpose for these money demanding messages

Repg ransomware is yet another file-locking virus that encrypts the data and asks for payment to decrypt it. This cyber threat can infect any computer that runs on Windows operating system. Since it spread primarily through file-sharing platforms, such as torrent websites, and demanded ransom amount is relatively low, this file-locker is aimed at ordinary computer users. This should come as no surprise as the virus belongs to the Djvu ransomware family that was first observed in September 2017.

When this infection is downloaded, camouflaged as the latest game crack, pirated software, etc., and executed, it immediately starts to do its job. The encryption process^[1] starts alongside other functions that the crypto-malware has. Those include alterations in system folders and preferences.

Once the file-locking procedure is done, affected files get marked using the .repg appendix, hence the name of this virus. The victim can't open any affected data, and this means that all personal files are locked: photos, videos, documents, etc.

Moreover, the infection deletes Volume Shadow Copies from the computer by running a command-line interface: vssadmin.exe Delete Shadows/All/Quiet. By deleting Shadow Copies, the ransomware ensures that the victim will not be able to recover the encrypted files easily.

After that, the ransom note _readme.txt is dropped to the desktop and placed in other folders where locked files are. This message is an informational note from cybercriminals who ask for payment while promising to give a decryption key or alleged decryption software. Unfortunately, you cannot be sure that files get restored even after paying them.

This infection controls the system and directly affects common data

Basically, criminals cannot be trusted at all. Through the ransomware, they also run another virus – AZORULT trojan. This cyber threat is a Remote Access Trojan (RAT) that enables control over the infected device. Such a virus is quite dangerous because it allows hackers to secretly surveillance a victim's actions. So, do you really want to try to negotiate with such criminals?

If you do not know how the ransom note looks like, you should remember that hackers are trying to intimidate their victims and force them to pay the ransom. Here is an example of a message:

ATTENTION!

Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-fhnNOAYC8Z
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
manager@mailtemp.ch

Reserve e-mail address to contact us:
helpmanager@airmail.cc

Once this ransom note appears the cryptovirus has accomplished its primary mission. The cyberthreat successfully encrypted all personal data and inserted PersonalID.txt and bowsakkdestx.txt files on the infected computer. These files contain the victim's personal ID and allow the developers of this ransomware to access saved personal identification on the device.

However, in such a situation you do not need to panic immediately. We do not recommend communicating with cybercriminals, but there are other ways to recover files. You should remove the Repg ransomware first and then try to recover important data. Recovery options are provided in this article.

Removal and system repair instructions

Before the removal process, copy all encrypted files to a removable storage device – an SSD, a USB thumb drive, etc. Locked files do not contain any malicious code, so it is safe to transfer them. After transferring, be sure to disconnect the device from the infected computer.

Normally, now would be the time to install the Malwarebytes or similar security software and perform a full system scan with it to remove the Repg virus. But not this time, because you may fail if you try to run the program in the normal way.

Threat aims to get payments from victims when their systems get affected

This ransomware^[2] might prevent you from visiting any security-related websites by modifying hosts files. It also might prevent you from downloading and installing any antivirus software. Djvu ransomware variants add dozens of entries containing URLs of how-to articles and similar security-related websites, such as 2-spyware.com.

Each of the entries means that users will not be able to access the listed web addresses and will receive a DNS_PROBE_FINISHED_NXDOMAIN error instead. If you don't know how the “hosts” file entries look like, here's an example:

So, if you want to remove the virus, you will need to do all that after rebooting your Windows computer in Safe Mode with Networking. If you don’t know how to do this, just follow our instructions.

Windows 7 / Vista / XP

1. Click Start > Shutdown > Restart > OK.
2. When your computer becomes active, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
3. Select Safe Mode with Networking from the list.
   

Windows 10 / Windows 8

1. Right-click on the Start button and select Settings.
   
2. Scroll down to pick Update & Security.
   
3. On the left side of the window, pick Recovery.
4. Now scroll down to find the Advanced Startup section.
5. Click Restart now.
   
6. Select Troubleshoot.
   
7. Go to Advanced options.
   
8. Select Startup Settings.
   
9. Click Restart.
10. Press 5 or click 5) Enable Safe Mode with Networking.
    

Once you reach Safe Mode, launch SpyHunter 5Combo Cleaner or another reputable antivirus, update it with the latest definitions, and perform a full system scan to eradicate malware and all its malicious components. Either of the recommended programs will automatically detect all malicious files and entries and suggest eliminating them. Please stick with the recommendations to fully remove the threat.

Moreover, it is always a good idea to have powerful security software on the computer because these days cybercrime is on the rise. You should keep such a program always working, frequently update it and remember to perform full system scans at least a couple of times per week.

But even after you remove the virus, you may run into problems. It happens because once a computer is infected with ransomware, not only all personal files are locked but also the system of the device is changed to operate differently. For example, an infection can alter the Windows registry database, damage vital bootup, and other sections, delete or corrupt DLL files, etc.

Once a system file is damaged by malware, antivirus software is not capable of doing anything about it, leaving it just the way it is even after the virus removal. Consequently, victims might experience performance, stability, and usability issues, to the point where a full Windows reinstallation is required.

Therefore, we highly recommend using a FortectIntego – powerful repair tool. Not only can it fix Repg virus damage after the infection, but it is also capable of removing malware that has already broken into the system thanks to several engines used by the program. Besides, this program is also capable of fixing various Windows-related issues that are not caused by malware infections, for example, Blue Screen^[3] errors, freezes, registry errors, damaged DLLs, etc.

• Download the application by clicking on the link above
• Click on the ReimageRepair.exe
  
• If User Account Control (UAC) shows up, select Yes
• Press Install and wait till the program finishes the installation process
  
• The analysis of your machine will begin immediately
  
• Once complete, check the results – they will be listed in the Summary
• You can now click on each of the issues and fix them manually
• If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.
  

With the help of FortectIntego, you would not have to worry about future computer issues, as most of them could be fixed quickly by performing a full system scan at any time. So this tool will be useful not only after this infection but in the future too.

How to recover encrypted files

Once your computer is completely clean, you can try to recover .Repg files. As already mentioned, we do not recommend trying to communicate with criminals and pay a ransom. By paying money, you would encourage hackers to create new viruses. Also, there is no guarantee that they will really help you recover your files, so it is better not to risk at all. Simply try other recovery options – maybe you will be able to recover some files.

If you have infected your computer with one of the Djvu variants, you should try using Emsisoft decryptor for Djvu/STOP. But it is important to note that this tool will not work for everyone – it only works if data was locked with an offline ID due to malware failing to communicate with its remote servers. If an online ID has been used, then unfortunately, this tool will not help.

Even if your case meets the offline ID condition, the decryption tool will not necessarily work. It is because somebody from the victims has to pay criminals, retrieve an offline key, and then share it with security researchers at Emsisoft. As a result, you might not be able to restore the encrypted files immediately.

But don’t lose hope in the same second. If the decryptor says your data was locked with an offline ID but cannot be recovered currently, you should try later. Maybe cuber security specialists will get the offline key after a week or two. You also need to upload a set of files – one encrypted and a healthy one to the company's servers before you proceed.

• Download the app from the official Emsisoft website.
  
• After pressing the Download button, a small pop-up at the bottom, titled decrypt_STOPDjvu.exe should show up – click it.
  
• If User Account Control (UAC) message shows up, press Yes.
• Agree to License Terms by pressing Yes.
  
• After Disclaimer shows up, press OK.
• The tool should automatically populate the affected folders, although you can also do it by pressing Add folder at the bottom.
  
• Press Decrypt.
  

From here, there are three available outcomes:

1. “Decrypted!” will be shown under files that were decrypted successfully – they are now usable again.
2. “Error: Unable to decrypt file with ID:” means that the keys for this version of the virus have not yet been retrieved, so you should try later.
3. “This ID appears to be an online ID, decryption is impossible” – you are unable to decrypt files with this tool.

If this tool has helped recover .repg files, congratulations on successful virus removal and recovery of your important data. If it didn't help, please stay optimistic. Below you will find other possible recovery options that may help solve this tricky situation.