Rebus ransomware - How to remove

Rebus ransomware is not completely unique computer virus – it is just a new, updated version of Scarab ransomware which was given a different name. Once infiltrated into the computer, Rebus ransomware will try to lock your personal files by applying a special cryptography algorithm. Then, in order to get those files back, you will be asked to pay a ransom by sending cryptocurrencies to the wallet of cybercriminals.

ransomware is definitely one of the most dangerous computer viruses in the market, since it can result in the loss of your personal files and money (if you decide to pay the ransom).

Fortunately, paying the ransom is not the only option in this situation. You can use professional anti-malware software to remove the virus and then restore your locked files from a backup or try to employ free file restore tool. For more detailed instructions on how to do that, please continue reading the article.

We would also like to put our emphasis point on the fact that if Rebus ransomware managed to get into your system, other similar infections could possibly do the same. I.e. it indicates a weak security of your computer, thus you should pay your attention to that too.

Main qualities of Rebus ransomware

Rebus ransomware can start its’ processes once the payload is infiltrated into the computer. Once that is done, the virus will immediately upload some malicious files to the computer. Those files will be placed on different folders, such as /Windows/, /Local/, /AppData/, etc.

Next thing you know – your personal files such as photos, songs, videos, text documents and so on will be not accessible. That’s because Rebus will encrypt them and add .rebus extension to the end of every single file. For instance, if you had a file named “sample.jpg”, now it will look like “sample.jpg.rebus” and you won’t be able to access it anymore.

We don’t know exact cryptography that is used by this infection, but it is a pretty strong one. Immediately after your files are encrypted, a new file called “REBUS RECOVERY INFORMATION.TXT” will be generated and placed on your desktop automatically. Obviously, it is a file with instructions about your current situation and what should be done next:

=======================================================================================================================

YOUR FILES ARE ENCRYPTED!

Your personal ID
[redacted hex]

Your documents, photos, databases, save games and other important data was encrypted.
Data recovery the necessary decryption tool. To get the decryption tool, should send an email to:
[email protected] or [email protected]
If you dont get reply in 24 hours use jabber:
[email protected]
Letter must include Your personal ID (see the beginning of this document).
In the proof we have decryption tool, you can send us 1 file for test decryption.
Next, you need to pay for the decryption tool.
In response letter You will receive the address of Bitcoin wallet which you need to perform the transfer of funds.
If you have no bitcoins
* Create Bitcoin purse: https://blockchain.info
* Buy Bitcoin in the convenient way
https://localbitcoins.com/ (Visa/MasterCard)
https://www.buybitcoinworldwide.com/ (Visa/MasterCard)
https://en.wikipedia.org/wiki/Bitcoin (the instruction for beginners)
– It doesn’t make sense to complain of us and to arrange a hysterics.
– Complaints having blocked e-mail, you deprive a possibility of the others, to decipher the computers.
Other people at whom computers are also ciphered you deprive of the ONLY hope to decipher. FOREVER.

– Just contact with us, we will stipulate conditions of interpretation of files and available payment,
in a friendly situation
– When money transfer is confirmed, You will receive the decrypter file for Your computer.

Attention!
* Do not attempt to remove a program or run the anti-virus tools
* Attempts to decrypt the files will lead to loss of Your data
* Decoders other users is incompatible with Your data, as each user unique encryption key

=======================================================================================================================

As most of the time, developers of ransomware want the ransom to be paid in cryptocurrencies – it’s much more difficult to track those payments down, thus they can remain anonymous.

It is not disclosed how much you will have to pay – they encourage you to contact them via one of the following email addresses: [email protected], [email protected], [email protected] and send your personal ID, that was assigned to your computer. Then they will provide you with the information about the ransom and if you successfully pay it, they should send you a decryption tool.

We suggest not to force things – there are no guarantees that you will receive that promised decryption tool. Actually, there is no evidence that this tool even exists, so you can simply get scammed.

Technical features Rebus ransomware

Some ransomware viruses are developed by characterizing all processes in a first play – initially uploaded files determine how the virus will act from the beginning to the end. In this case, Rebus virus doesn’t have this feature thus once malicious files are uploaded, it will connect to the remote server owned by cybercriminals and receive detailed commands what should be done next.

Those commands usually are promising nothing good to you as a user. The program will automatically start scanning your hard drive to detect personal files that can be encrypted. Unfortunately, it can encrypt all kind of files used on a daily basis. It can even affect databases and backup files, thus if you are backing up your files in order to keep them safe, make sure to store the copy on an external drive or a cloud, so in case of such infection, it would remain safe.

Rebus ransomware, might customize Windows registry and make it more complicated to operate various anti-malware or anti-virus programs. It is a common practice used by ransomware infections like Aurora or LittleFinger.

Options to recover files encrypted by Rebus

You should understand that removing the virus from your system won’t restore your files. Nevertheless, that should be done in order to make sure that your computer is protected. The best way to do that is to scan your system with Spyhunter – either of those programs should be able to detect and remove malicious files and entries of Rebus automatically. Scroll down below for more detailed instructions.

Now, there are 3 main options when it comes to restoring your personal files:

• Restore files from a backup;
• Decrypt them with a decryption tool;
• Use file recovery software

If you have a legitimate backup copy of your hard drive that was made before the infection, it’s probably the most efficient method to solve the problem. Simply restore those files and your system will be normal once again.

However, in case you don’t have a backup, you might need a decryption tool or some kind of file recovery software. Since there is no free decryptor for Rebus ransomware at the moment, we recommend and you can only get it by paying the ransom, it’s not a good choice. Instead of that, you should get yourself one of many free file and try to get your files restored.

How to recover Rebus ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Rebus ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Rebus ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Rebus ransomware. You can check other tools here.  

Step 3. Restore Rebus ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Rebus ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Rebus ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.