Redeemer Ransomware - How to remove

Redeemer ransomware is a malicious program that attacks computers and locks their files. The malicious actors behind Redeemer want to be paid thousands of dollars in order to fix the files that were broken.

At the moment, there’s no solution to fixing the files encrypted by Redeemer.

About Redeemer ransomware:

Threat type	Ransomware, trojan.
How to recognize ransomware	It breaks files, making them unreadable, it changes the names of the broken files to end with “redeem”.
How Redeemer infects computers	It spreads with phishing emails, it’s distributed with hacked RDP accounts.
How to remove Redeemer ransomware	Use antivirus tools (Spyhunter, others) to find and delete malware.

How to recognize Redeemer ransomware?

Redeemer is malicious software. It infects computers secretly, then encrypts files.

Encryption is a tool to hide information by making the content of a file or a message look random. For instance, browsers and websites encrypt our traffic to keep it private. You can also encrypt your files to password-protect them.

Redeemer and other ransomware (Prometheus, Sspq, etc.) infect computers and use encryption to password-protect the files on these infected computers. Then, Redeemer encrypts the password (the decryption key) and marks the encrypted files with the second extension “.redeem”.

You can check what ransomware attacked your computer by using the ID Ransomware site.

If your Windows shows file extensions, then after a Redeemer attack, you might see your files with blank page icons and names like this:

Document.docx.redeem

Redeemer also creates ransom notes like this:

— Redeemer —

All your files have been encrypted using an advanced encryption algorithm. They cannot be decrypted without a decryption tool and a key.

In order to decrypt your files you will need to pay 20 XMR (Monero). After paying you will get a tool and a key to decrypt your files.
You can find more information about Monero on getmonero.org and you can buy it from localmonero.co or any other website or use any cryptocurrency exchange that has Monero listed.
WARNING: Do not modify the files, don’t change their names and locations, otherwise they won’t be able to be decrypted.
AFTER you obtain the required amount of XMR, contact [email address] and send the following key:

[key]

Extortionists use Redeemer ransomware to force the victim to send them money. These criminals promise that they’ll fix the files that were broken by Redeemer if the victim pays them. At the time of writing, 20 XMR is around 4,800 dollars. This sort of money is often asked by cybercriminals of small businesses.

How to avoid ransomware

Redeemer might spread with phishing emails, hidden in malicious attachments. It could also be infiltrated by extortionists hijacking remote access accounts and planting Redeemer themselves. There are many ways in which file encrypting malware spreads. As Redeemer is still quite new, there are still some questions about how it attacks computers.

The best way to protect yourself against ransomware is to regularly backup your files. The backups could be disconnected external drives, cloud backups, etc. As long as data remains untouched by the Redeemer ransomware attack, it can be restored later, after all the malware is removed.

How to remove Redeemer ransomware

Antivirus programs flag Redeemer with the labels Trojan, Ransom, and Malware: Virustotal.com. To find and delete Redeemer and all other malware, use antivirus programs like Spyhunter and others. And/or reformat your storage drives to remove all traces of Redeemer.

It’s also important to find how Redeemer infected your computer and to stop that from happening again. Make sure that no infected files, such as malicious email attachments, are still around to be run again accidentally. If needed, change your remote access credentials and use multi-factor authentication.

It’s very unlikely that a decryption tool will be developed to unlock the Redeemer-encrypted files for free. But if such a tool ever is released (most likely by cybersecurity researchers), then it should appear on Nomoreransom.org. If you keep the encrypted files and ransom notes left by Redeemer and a decryptor is made available, you might be able to get your data back. Still, this is very unlikely to happen.

Automatic Malware removal tools

How to recover Redeemer Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Redeemer has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Redeemer Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Redeemer. You can check other tools here.  

Step 3. Restore Redeemer Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Redeemer tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Redeemer Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.