RedEye ransomware - How to remove

RedEye is a ransomware/wiper virus. Even though there are some signs that this infection might be encrypting files and you will be forced to pay a ransom in order to retrieve them, we honestly doubt it – recent evidence shows that the virus simply replaces your files with empty ones and then runs a countdown clock until your operating system is completely ruined.

It was developed by the same person or a group of hackers who developed Annabelle and Jigsaw infections – both of them also featured wiper qualities, therefore we have a strong feeling that RedYey is just another for fun project by some underaged hacker.

Unfortunately, that is not that funny if your computer is infected and you are about to lose all your personal files. In case you are not familiar with a term ‘wiper yet, it is a virus that erases everything that is stored on the hard drive. How’s that different from a ransomware infection? Well, ransomware viruses only encrypt information and provide users with an ability to restore it when the ransom is paid.

If you were unlucky enough and RedYey malware managed to get inside of your computer, please continue reading this article and we will provide you with the instructions that you should follow in order to save your system.

How RedEye ransomware works

In case your computer gets infected with RedEye, the system will be immediately restarted without even asking you for permission to do that. Once it is restarted, you will soon notice that your files are already gone. Unfortunately, there might be no methods to get them back – unless you have a backup copy stored on an external drive. Also, it seems like RedEye can’t affect files that are stored on a network drive, so all files stored on shared folders should be ok.

Also, you will immediately notice that your desktop wallpaper is changed to a scary version of Mona Lisa and now looks like this:

Even though the virus claims that it has the technology to encrypt files by employing ‘AES-256’ cryptography algorithm, we highly doubt it. Further investigation revealed that the virus simply wipes existing files and replaces them with blank ones, only with “.RedEye” extension. It might be a cheap attempt to trick some of the users and force them to pay a ransom, even though this won’t solve anything.

Ransom note of the RedEye virus

This infection also features a well-crafted ransom note that will be automatically opened after the computer is restarted. The original message of the ransom note:

All your personal files has been encrypted with an very strong key by RedEye! (Rijndael-Algorithmus – AES – 256 Bit)
The only way to get your files back is:
The only way to get your files back is:
– Go to hxxp://redeye85x9tbxiyki.onion/tbxlyki – Enter your Personal ID and pay 0.1 Bitcoin to the address below! After that your need to click on “Check Payment”. Then you will get a special key to unlock your computer.
You got 4 days to pay, when the time is up, then your PC will be fully destroyed!

You will be suggested to pay 0.1 Bitcoins in order to receive a special key that will allow you to unlock your files. However, we already mentioned that your files are gone forever at this point, thus there is no reason to pay the ransom.

Also, there is a countdown clock that states to completely destroy your computer after 4 days. Unfortunately, this feature is not fake and it will definitely remove your operating system. After that, you will experience a ‘blue and you will be no longer able to boot up your system.

There is a functioning button that can do that instantly too – do not click that, it’s not a joke.

How to solve RedEye ransomware problem

Sadly, your files are most probably gone forever. However, if you have a backup copy stored on an external drive or cloud, you can restore your files from there. Also, there is an option to use some kind of file recovery tool – there are plenty of free ones online.

Besides that, you definitely need to remove RedEye from your computer. The ultimate way to do that is to scan your computer with reliable anti-malware application, such as Spyhunter. Either one of those programs should detect and remove RedEye malware. In case the virus blocks the installation of those programs, you can choose alternative anti-malware software from our reviews section.

For more detailed instructions please check removal guide below.

Automatic Malware removal tools

How to recover RedEye ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before RedEye ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of RedEye ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to RedEye ransomware. You can check other tools here.  

Step 3. Restore RedEye ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually RedEye ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover RedEye ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.