Rektware ransomware - How to remove

On September 14, 2018, a new cryptovirus called Rektware ransomware (or PRZ ransomware) was reported on Twitter by Serbian Security researcher GrujaRS. In the post malware expert also included a live demonstration of Rektware virus infection, which disclosed some interesting features and remorseless file locking and ransom note display. At the moment there is not that much information about Rektware’s origin, creators or distribution locations, yet the so far collected data is sufficient to help victims clean their systems from Rektware/PRZ virus and possibly save their locked files.

Maybe you already heard of LIGMA, .good, EOEO, Pottieq viruses, which are very similar crypto infections that work in the same main principle like Rektware ransomware. They lock all user files that are not System’s and demand for a certain ransom from the infected user. Usually, malware like that differ only by the name, encryption method and added an extension to the locked files, but it seems like Rektware ransomware is not a typical case. If you want to learn more about this crypto infection and know the best ways to remove it, please, continue reading this article.

How does the Rektware/PRZ ransomware work

Rektware or PRZ virus seems to be like a newly developed separate crypto infection, which is not a copy of an open-source ransomware template like Hidden Tear. Although there is a big possibility that Rektware ransomware can be still in development, because of some technical features and the ransom note is rather short and not very informative. This could be false, but paying crooks the ransom should still not be your chosen solution, which will allow them to invest into improving Rektware virus maliciousness.

rektware prz ransomware virus ransom notes

Once inside the system Rektware ransomware goes straight to Windows registry and modifies the keys so that it could be persistent and survive even if you restore your PC. Then it adds itself to other System’s directories so antivirus would not interfere with further malicious actions and starts looking for personal files like pictures, documents, videos and etc. which are precious to the victim and can be encrypted without doing a damage to the computer. This personal file selection is based on the idea that the victim could still use the same computer to pay the ransom.

Then Rektware virus starts encryption processes with AES/RSA algorithm and appends a unique extension (can be .2PWo3ja, .CQScSFy) for every user to the locked documents so that user could see which files are affected. This is the interesting feature that is not usual for other ransomware because other crypto-demanding viruses are using the same appendix to every file and user. And once the encryption is done, Which takes no more than a minute, Rektware ransomware drops a file on the desktop called FIXPRZT.PRZ and open the ransom note.

Ransom note only gives the email of Rektware’s developers and doesn’t even give any insight on how much the ransom could be (which can range from several hundred to several thousand dollars in cryptocurrency). Furthermore, it says that if the victim contacts hackers (which we do not recommend still), files will be restored for free:

ContactID: MG9r9awS9V Send E-mail: [email protected]


All in all, despite these tiny differences, Rektware ransomware according to VirusTotal is still recognized as notorious by many antivirus security tools and you want to avoid it at all costs. Don’t forget to take a look at our Ultimate guide to protect your system from ransomware viruses and watch the video to see the whole Rektware virus infection process in practice.

How does Rektware virus spread

Because the virus was discovered just yesterday, there is not much knowledge on all possible spreading methods, except for the one when Rektware virus was caught – bogus emails with malicious links and attachments. Although it is common amongst all ransomware, since it doesn’t require any high-level technical knowledge and extra time, yet crooks can get really creative with their socially that carry malware.

The basic idea is to create a believable message that will make potential victim to follow a hyperlink or open the attached document file. Rektware ransomware actors can pretend to be from the bank, hospital, government, clientele stating that there is some issue that needs your immediate attention and you must open the .doc/.docx file for more information.

MS is where the virus executable hides. You won’t be able to see the file, unless you enable Macros, which is a legitimate feature and not exploit, therefore your antivirus will not detect that malevolent file that you just downloaded as a threat. Soon enough, if you do enable it, you will have all your precious files locked. This technique is also used because it can easily overpass corporate computers’ system protection, therefore crooks can aim for larger ransoms. (Microsoft)

How to remove Rektware virus fast and restore encrypted files

The fastest and reliable way to remove Rektware virus without losing all the precious files is to just download a malware removal tool like SpyHunter, or Malwarebytes and run a full system scan trusting the issue to an automatic anti-spyware tool. You will save time and stay spree-free while these security tools will be wiping Rektware ransomware from all directories that it planted its malicious leftovers. Moreover, additional viruses that may be causing the system’s protection vulnerabilities will be deleted as well.

Only after the full removal, you can start recovering your locked data or else virus will get activated again and will encrypt whatever you manage to restore. At the moment there is no decryption tool yet, but team are sure that there will be one developed very soon, since malware researchers are keeping up with crooks rather well. Meanwhile, you can try unlocking personal data with below, in the instructions, mentioned file recovery programs or from Shadow copies. If not, just keep your encrypted files stored and keep looking for Decryptor updates.

Automatic Malware removal tools

Download Spyhunter for Malware detection

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

How to get rid of Rektware ransomware without antivirus

If security tool is something that you are not looking for and want to try saving your PC from Rektware virus immediately, then you can try our instructions below. We cannot promise that they will work as effective as the automatic removal, but you do have pretty good chances to restore your system, especially if you create regular backups.

How to recover Rektware ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before PRZ ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Rektware ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to PRZ ransomware. You can check other tools here.  

Step 3. Restore Rektware ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually PRZ ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Rektware ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *