RackCrypt virus Removal Guide

Do you know what RackCrypt virus is?

If RackCrypt virus manages to sneak onto your computer, it is quite likely that you can say goodbye to most of your personal and important files; unless, of course, you are experienced enough to keep a backup copy of all your files on an external drive. You may not be better off having a backup online, such as in a cloud storage place, because this malware might be able to access them through the Internet and infect them as well. This infection is a dangerous Trojan ransomware that encrypts your precious files in a few minutes after it finds its way to your operating system. Seemingly, the only solution for you to recover your files is to pay the ransom fee that the cyber criminals behind this scam want to extort from you. However, we do not advise you to pay because malware specialists say that there is no guarantee that these criminals will deliver as promised. There is only one thing you can really do and it is to remove RackCrypt virus immediately.

According to our researchers, there are a couple of ways for this dangerous ransomware to slither onto your computer. It is possible, for example, that it is spread in spam e-mails as attachment. Reports show that this infection may be disguised as a totally normal or even known file, such as firefox.exe, loader.exe, and smss.exe. But it is quite possible that you will simply find an image or video file in a spam e-mail that you click on and that will drop this Trojan onto your PC. It is also possible that the silent download is triggered by your clicking on a hyper link embedded in the body of the spam e-mail. Therefore, it is essential that you avoid opening mails that come from unfamiliar senders and are not expected by you. But you also need to be careful with opening mails from familiar senders because this infection might be able to pose as a legitimate entity, such as an institution or an authentic company. Cyber criminals have sophisticated ways to trick you into reading their mails and clicking on provided links and attachments. Therefore, utmost care should be taken any time you open your mails.

Another way for this Trojan to appear on your PC behind your back is through shady file-sharing websites. It is possible that you are looking for free movies or software to download and you end up on a questionable website. Clicking on any content there would be a mistake and also an explanation how this malware may have shown up on your computer. These suspicious sites host a lot of misleading and potentially unsafe third-party ads that may pose as download buttons, for instance. It is possible that you download a whole bundle of malicious software installers by clicking on a corrupt link. In that case, this Trojan will only be one of the security issues you will have to face, but certainly the most dangerous one, too. Even if you may think that you have lost all your personal files, you need to know that you must delete RackCrypt virus right now because, otherwise, you will not be able to use your computer safely.

Once this Trojan arrives, it copies the files it operates through into your %TEMP% folder. When everything has been set up, this ransomware starts its vicious encryption targeting all your documents, music files, photos, videos, and database files as well, including .doc, .docm, .docx, .jpe, .jpeg, .jpg, .js, .m3u, .m4a, .menu, .mov, .mp4, .mp3, .pptx, .psd, .ptx, .qic, .raw, .sav, .tor, .wmv, .wmo, .zip, .xls, .xlsm, .wall, .srf, .svg, .layout, .txt, .pdf, .mddata, and many more. This malware uses the AES-256 encryption algorithm, which is a built-in Windows encryption method; therefore, it usually only takes a few minutes to accomplish its mission. Of course, this is dependent on the number of files it targets and the performance of the user’s PC as well. Thus, the time can range from 10 seconds to 10 minutes or more.

When the job is done, this infection changes your desktop background and displays its own image with a message window on top. Here is the registry value name and data it uses: HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper "%Windows%\Web\Wallpaper\rack.jpg." From the message you will know that these criminals are even “sorry to tell you” that all your files on your PC have been encrypted using the “strongest AES-256 encryption algorithm.” Our researchers say that this may not be the strongest encryption, but it may be virtually impossible to decrypt without the decryption key. You are given 3 days to pay the ransom fee of around 480 USD (1.3BTC), which you have to transfer to the given Bitcoin address. Although it is totally your decision what you do, we do not advise you to pay. It is quite possible that you will get no decryption key whatsoever in return for your $300. The most important lesson to learn with regard to Trojan ransomware is definitely the importance of having a backup copy of your files on an external drive. That copy could save you now and you could simply transfer all your files back to your PC after, of course, you remove RackCrypt virus.

In order to eliminate this dangerous Trojan ransomware, you need to restart your computer in Safe Mode with Networking. You have basically two options. First, you can remove all the files and Windows Registry entries this infection has created on your system. Second, you can launch your browser and download a reliable malware removal application, such as SpyHunter. After the installation, run a full-system scan and remove all infections this tool finds. Whichever option you choose, once you finish, restart your computer in Normal Mode. Please follow our guide below if you need help with this process. Also, keep in mind that this security software will also protect your computer from further malicious attacks. If you have any questions regarding the removal of RackCrypt virus, please leave us a comment below.

How to remove RackCrypt virus from Windows

Restart Windows in Safe Mode with Networking

Windows 8/Windows 8.1/Windows 10

  1. Tap Win+I and press the Power options icon.
  2. While pressing and holding the Shift key, click Restart.
  3. Select Troubleshoot and then, Advanced Options.
  4. Choose Startup Settings.
  5. Press Restart.
  6. Press F5 to reboot the PC in Safe Mode with Networking.

Windows XP/Windows Vista/Windows 7

  1. Restart your PC and tap the F8 key.
  2. Select Safe Mode with Networking from the menu and hit the Enter key.

Option 1: Manual Removal

  1. Press Win+R and type in regedit. Hit Enter.
  2. Locate HKU\Administrator\mvpdata and delete this key.
  3. Locate HKCU\Control Panel\Desktop\Wallpaper, replace the value data "%Windows%\Web\Wallpaper\rack.jpg" with the path of a wallpaper of your choice.
  4. Exit the Windows Registry editor.
  5. Press Win+E.
  6. Locate the %TEMP% directory and delete the executable file this Trojan drops. This could possibly be named firefox.exe, loader.exe, or smss.exe.
  7. Restart your computer in Normal Mode.

Option 2: Automated Solution

  1. Launch your browser and enter the following URL address: http://www.spyware-techie.com/download-sph
  2. Download and install SpyHunter.
  3. Run a full system scan.
  4. Remove all found malware infections.
  5. Restart your PC in Normal Mode.

In non-techie terms:

RackCrypt virus is a vicious Trojan ransomware that can infect your computer through spam e-mails, malicious websites, and freeware bundles as well. Once this malware is activated, it encrypts all your personal files, including documents, images, videos, music files, and databases. You can only recover these files if you get the decryption key, which is offered to you for $300 by the same crooks who are responsible for this Trojan. You are given 3 days to pay or otherwise you will lose the chance to use your files again. It is important to have a backup of your files because in such a situation you can easily copy them back to your computer. However, it is essential that you first remove RackCrypt virus because your PC will not be secure unless this beast is gone. In order to clean your system, you should download and install a reputable antimalware application.