Remk Ransomware

A new ransomware threat has been spotted in the wild – the Remk Ransomware. This newly uncovered data-locking Trojan belongs to the family of the infamous STOP Ransomware. The STOP Ransomware family was the most active family of this class in 2019, with cyber crooks developing and releasing more than 200 copies of this threatening Trojan.

Propagation and Encryption

It is not known with full certainty how user’s systems are getting infected. Malware experts suspect that the authors of the Remk Ransomware may be using an array of propagation methods – spam emails containing macro-laced attachments, bogus pirated copies of commonly utilized software, mass malvertising campaigns, torrent trackers, fraudulent application updates and downloads, etc. The Remk Ransomware is likely programmed to go after a long list of filetypes – .jpg, .jpeg, .png, .gif, .pdf, .doc, .docx, .ppt, .pptx, .xls, .xlsx, .rar, .mp3, .mp4, .mov and many others. This means that it is not probable that the Remk Ransomware will leave any files unaffected. The more files a ransomware threat encrypts, the more likely it is for the user to give in and pay the sum demanded by the attackers. To lock the targeted data, the Remk Ransomware would apply an encryption algorithm. After the encryption process has been completed, users may notice that the Remk Ransomware has changed the names of their files. This is because this Trojan adds a new extension to the names of the locked files – ‘.remk.’ This means that a file, which was called ‘camo-jacket.jpg’ originally, will be renamed to ‘camo-jacket.jpg.remk.’

The Ransom Note

The Remk ransomware is a nasty virus to find on your computer. It infects computer systems when the file it hides in is accessed. Criminals are adept at tricking people into downloading and accessing ransomware by putting them inside cracked pirated software, key generators, and the like. Remk is installed on a computer once the victim runs the associated file.

Once Remk infects a computer, it encrypts files on all drives on the computer – and on connected devices. The encryption uses a robust algorithm to make it more challenging to crack. It connects to the Command-and-Control (C&C) server before encryption. It connects to get an online "key" to decrypt the files. This online decryption key is unique to an infected device. If it is unable to connect, it uses a generic offline key. The offline key is the same for all devices, and security researchers have replicated it to help unlock encrypted files.

Given how many files are on the average computer, Remk has to work fast. It does this by encrypting only the first 154kb of a file instead of an entire file. Some files aren’t encrypted, such as system files. Any other kind of file could be encrypted no matter its location on the computer. Even files stored on the cloud are at risk.

The following is a list of all the file types affected by Remk:

.wsc, .wma, .icxs, .itl, .xlgc, .png, .accdb, .ybk, .m2, .xbdoc, .rtf, .lbf, .3ds, .xls, .cas, .wp6, .z3d, .vpk, .map, .odm, .dwg, .pdd, .xlk, .ff, .arch00, .vdf, .ztmp, .big, .pdf, .vpp_pc, .1, .1st, .wbmp, .dazip, .ai, .kdc, .xwp, .xf, .qic, .zi, .2bp, .xlsm, .x3d, .docx, .wm, .snx, .mdbackup, .jpe, .wp4, .wps, .jpg, .mlx, .bc6, .dbf, .menu, .bkf, .psd, .mdf, .wbm, .ntl, .blob, .zdb, .epk, .mp4, wallet, .pef, .t12, .psk, .wpb, .odp, .wpd, .wcf, .rar, .pst, .jpeg, .layout, .wps, .mdb, .sis, .dng, .sidn, .mrwref, .itm, .ltx, .ws, .wn, .csv, .der, .wri, .wgz, .wpl, .gho, .wmo, .3dm, .pkpass, .x3f, .sql, .desc, .bar, .doc, .xls, .re4, .indd, .ysp, .mov, .erf, .vtf, .zip, .wav, .itdb, .sie, .ibank, .crw, .r3d, .xlsm, .ptx, .xld, .7z, .lvl, .wb2, .ppt, .sidd, .avi, .mpqge, .y, .vcf, .kdb, .txt, .iwd, .rwl, .pak, .srw, .litemod, .flv, .sav, .tax, .wdb, .x, .xpm, .xx, .esm, .docm, .d3dbsp, .asset, .ods, .dxg, .xlsb, .syncdb, .xdl, .wpe, .zw, .sr2, .wma, .zabw, .slm, .0, .bay, .srf, .p7b, .xxx, .tor, .xyw, .py, .wmv, .wp5, .lrf, .svg, .db0, .xlsx, .rw2, .yml, .wire, .forge, .zdc, .hkx, .cer, .z, .crt, .rim, .wdp, .wbc, .wp7, .xyp, .rofl, .mcmeta, .mef, .arw, .odc, .dcr, .p12, .orf, .wbk, .wpa, .xy3, .xll, .wmv, .yal, .pfx, .pptx, .wp, .wbd, .sum, .m4a, .p7c, .wpt, .nrw, .sid, .upk, .das, .hkdb, .bsa, .wsh, .zif, .wbz, .pem, .hvpl, .bkp, .3fr

The encrypted files have their name changed and assigned the ".Remk" file extension. The ransomware drops a ransom note into folders containing infected files. It also places one on the desktop.

The ransom note reads:

ATTENTION!
Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-KuTq0Kujnj
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
helpdatarestore@firemail.cc
Reserve e-mail address to contact us:
helpmanager@mail.ch
Your personal ID:
0214OIQuhkjdbK0bVFl9VRxUFwnn1EWnc06xYbQdDOSc4J7ln6bX

The next step of the attack is the dropping of the ransom note. The Remk Ransomware’s note is located in a file called ‘_readme.txt.’ In the ransom message, the attackers outline several main points:

• The user can send one file that will be decrypted for free, provided that it does not contain any important data.
• The authors of the Remk Ransomware demand to be contacted via email – ‘helpdatarestore@firemail.cc’ and ‘helpmanager@mail.ch.’
• Users who contact the attackers within 72 hours of the attack will be required to pay $490.
• Users who fail to get in touch with the creators of the Remk Ransomware before the previously mentioned deadline will have to pay double the price - $980.

There is no point to try and bargain or cooperate with the creators of the Remk Ransomware. Cybercriminals are not known for their correctness, and you are not likely to get what you paid for. This is why you should use a legitimate anti-virus application to remove the Remk Ransomware from your computer. You can try to recover some of your data with the help of a third-party file-recovery application, but the results are not likely to be satisfactory.