Retis Ransomware
The Retis Ransomware is a ransomware Trojan that was first observed on December 19, 2017. The Retis Ransomware was designed to attack French speakers, although this does not limit the Retis Ransomware from attacking computer users in other regions of the world. The Retis Ransomware seems to be targeted towards small and medium businesses specifically. The Retis Ransomware is being delivered to victims through the use of phishing email messages with corrupted attachments, in the form of Microsoft Word documents with bad embedded scripts that download and install the Retis Ransomware onto the victim's computer.
How Your Computer will be Affected by the Retis Ransomware
The Retis Ransomware is designed to encrypt the victims' files using a strong encryption method. The Retis Ransomware targets the user-generated files while avoiding the Windows system files. Some of the files that may be infected by these attacks include:
.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.
The Retis Ransomware attack marks the files it encrypts with the file extension '.crypted,' added to the end of each file's name.
The Retis Ransomware's Ransom Demands
The Retis Ransomware will deliver its ransom note in the form of a PNG file named 'RANSOM.png' that is saved in the AppData directory after the encryption of the victim's files. The Retis Ransomware ransom note contains the following message in French:
'Votre bureau, vos photos, vos données et autres dossiers importants ont été chiffrés avec un algorithme fort et une clé unique générés pour cet ordinateur.
La clé secrète pour déchiffrer vos données est gardée sur un serveur d'Internet, et personne ne peut déchiffrer vos fichiers jusqu'à ce que vous payez pour l'obtenir.
Vous disposez d'un délai de 24 heures pour nous transmettre le paiement.
PASSÉ CE DÉLAI VOTRE CLÉ SERA SUPPRIMÉE OE NOS SERVEURS ET IL NE SERA PLUS POSSIBLE POUR VOUS OE RÉCUPÉRER VOS DONNÉES'
Below, is the full text of the Retis Ransomware ransom note, translated into English:
'Your desktop, photos, data and other important files have been encrypted with a strong algorithm and a unique key generated for this computer.
The secret key to decrypt your data is kept on an Internet server, and no one can decipher your files until you pay to get it.
You have 24 hours to send us the payment.
PAST THIS TIME YOUR KEY WILL BE ABOLISHED BY OUR SERVERS AND IT WILL NOT BE POSSIBLE FOR YOU TO RECOVER YOUR DATA'
Unfortunately, it is not viable to restore the victim's files without the decryption key currently. Because of this, the best protection against the Retis Ransomware and similar threats is to have file backups saved in places that the threat can't reach. From the Retis Ransomware's ransom note, it is not clear how the cybercrooks expect the victims to contact them or report the payment since there is no email or messaging address included in the ransom note. This is why PC security researchers suspect that the Retis Ransomware Trojan is in a test version currently, and a full or updated version of the Retis Ransomware may be released and used to carry out ransomware attacks in the wild eventually.
