Redmat Ransomware | How to Remove it from your system?

Understanding Redmat Ransomware

Redmat Ransomware is a nasty variant of the STOP File-Encrypting Virus that has recently been discovered. Just like other variants, Redmat has been developed to generate illicit revenue by extorting ransom from the victims.

This clan of the Ransomware is considered as the most wide-spread malware as it uses multiple spread channels & methods. One of the prime distribution methods of Redmat Crypto Virus is Spam E-mail Campaigns.

Once the system is infected, Redmat searches every nook & corner of the system for the targeted files. Upon locating the files, it encrypts them by adding .redmat extension to the file names. Hence, it renders the files unusable to the users.

The files once encrypted by stop redmat Ransomware cannot be restored easily. Decrypting the files need a unique private key that is stored on the hacker’s server.

In order to get the decryption key, the victims are required to pay hefty amount to the hackers as ransom.

Cyber Security analysts have found that paying the ransom doesn’t always yield positive results. On receiving the ransom, hackers often tend to avoid the victims.

Threat Summary

Name	Redmat
Type	Ransomware
Category	Malware
Operating System Impacted	Windows
Targeted Browser	Google Chrome, Internet Explorer, Mozilla Firefox

 

Threat Behavior of Redmat Ransomware

The variants of the infamous STOP DJVU Ransomware seem a hard cookie for the cyber-security analysts to crack. New variants of STOP Ransomware Family seem to be popping up every now & then.

Redmat Ransomware is one such variant of Stop Ransomware Clan that is infecting a large number of systems across the world at a large scale.

The chief spread methods of redmat crypto-virus infection includes spam e-mail campaigns, online advertising & fake software downloads/updaters.

Upon infecting the system, Redmat searches the victim’s system for targeted files. These may include:

• Document files
• Audio Files
• Video Files
• Backup Files
• Images

Once targeted files are located, redmat uses highly complex Cryptography methods such as RAS & AES to encrypt the files. The encrypted files are appended by .redmat extension, & hence made inaccessible to the user.

For Example; a file named “spreadsheet.xls” might be renamed as “spreadsheet.xls.redmat”.

Redmat Ransomware is also capable of contacting with its Command & Control Server from the victims system. It downloads & updates additional files on the victim’s PC & strengthens its grip on the system.

The main motive of the Redmat developers is to swindle the innocent users & extort money from them. Once the files are encrypted, a ransom-demanding message in a text format is dropped in every folder containing .redmat files.

Details of the Ransom Note for Redmat & Hacker’s Response

The ransom note prompts the user that paying the ransom is the only way to restore the encrypted data. A unique private key, stored at the hacker’s server, is required to restore the data. In order to purchase the decryption key, the victim is required to a handsome amount to the hackers as ransom (in bitcoins).

The Amount demanded by the hackers remains same for all the STOP Ransomware variants ($980 in bitcoins). The note further states that the victims that contact hackers within 72 hours of the encryption can access 50% discount on the ransom amount ($490).

In addition to that, the hackers offer to decrypt one encrypted file free of cost. Users are asked to send any one encrypted file to the hackers via e-mail on [email protected] or [email protected]. The decrypted file is sent then sent back to the victim as a guarantee of decryption.

Please note that these claims are mere tricks to take the users into thinking that the decryption of files is possible.

Fearing to lose the data, many victims often contact hackers & pay the Ransom Amount. However, paying the ransom may not always help in getting the data back. Hackers often avoid responding victims after the amount has been received. This way, the victims lose their data permanently.

Therefore, users are advised to abolish any encouragement to contact hackers & pay the ransom. Be vigilant & do not let the hackers extort money from you.

Backing up data on an external storage device regularly & being careful while using internet may help in preventing Redmat infection.

Distribution Techniques of Redmat Ransomware

According to security analysts, hackers behind Redmat Ransomware are employing common internet services for its propagation. These include Spam E-mail Campaigns, Software Downloads & Pop-up Adverts.

Hackers send infected e-mail attachments such as invoices, bills, credit card scores & discount coupons to the targeted devices. The e-mails appear legitimate as these are sent with the names of legit companies such as PayPal or FedEx.

Clicking on these e-mails may install Redmat Ransomware on the user’s PC.

Other spread techniques used by the hackers include:

• Online Advertising
• Torrent Websites/ Adult-content Websites/ malware-laden suspicious websites
• Third-party software updaters/download sources
• Software Bundling
• Malicious Ads/Luring Discount Coupons.
• Peer-to-Peer Networks
• Freeware download websites/ Free file-hosting websites

How to Remove Redmat Ransomware infection from the system

STEP A: Reboot Your system to Safe Mode with Networking

To restart the system to Safe Mode with Networking,  if already switched ON then follow the below steps:

Windows 7/ Vista/ XP

1. Click on Windows icon present in the lower left corner of the computer screen.
2. Select and click  Restart.
3. When the screen goes blank, Keep tapping  F8  Key until you see the Advanced Boot Options window.
4. With the help of arrow keys on keyboard, Select Safe Mode with Networking  option from the list and press the Enter Key. The system will then restart to Safe Mode with Networking.

5 Click on the username and enter the password (if any).

Windows 10 / Windows 8

1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
2. While the Shift key is still pressed click on the Power button and then click on Restart.
3. Now select Troubleshoot → Advanced options → Startup Settings.
4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Networking. The system will then restart to Safe Mode with Networking.
5. Click on the username and enter the password.

STEP B: Delete the suspicious file from Configuration Settings

1. Type “Regedit” in search box / Run Box, select it and press Enter.
2. An authorization dialog box will appear, then you just have to click “Yes”. (The dialog box appearance may vary depending on OS used. For Windows 10 the the dialog box looks like the first screenshot and for windows 7 it appears like the second screenshot)
3. In the registry editor, take the backup of the current registry settings before making any changes in case you want to revert to old settings later. For this, Click on File option in the menu and select Export. Save the entry at a known location.
4. From the Menu, Click Edit and Select Find.
5. Enter Redmat Ransomware and click OK in the search box.
6. Select and delete suspicious  enteries.

STEP C: Remove malicious file from Command Prompt

Once the system starts, ensure to use an account with administrative privilege to access Safe Mode with Command Prompt.

After the user enters admin credentials, Command prompt window is displayed wherein you are entitled to enter the below commands:

1. Type the command “sc delete Redmat Ransomware” in the command prompt and press Enter.
2. Type “exit” to exit the command prompt and restart the system in safe mode with command prompt.

STEP D: Restore the system files & folders

Method 1 using Control Panel

1. Click on the ‘Start’ button on the taskbar. This will open the Start menu.
2. Click on the ‘Control Panel’ button in the Start menu. This will open the control panel window.
3. In the Control Panel window, click on the ‘View by:’ button on the top right. Select the Large Icon option
4. In the control Panel window click on the ‘Recovery Icon’. This will open a window that will ask ‘Restore the computer to an earlier point in time’.
5. Click on the ‘Open system restore’ button. This will open the ‘system restore ’window where you need to click on the Next Button.
6.  Select the restore point that is prior the infiltration of Redmat Ransomware. After doing that, click Next.
7. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Redmat Ransomware.

OR

Method 2 using Command Prompt

1. Type cmd in the search box and click on the command prompt to open the Command Prompt window. box and clicking on it.
2. Once the Command Prompt window shows up, enter cd restore and click Enter.(Ensure that you in the system32 directory of Windows folder in C Drive)
3. Now type rstrui and press Enter again.
4. When a new window shows up, click Next and select your restore point that is prior the infiltration of Redmat Ransomware. After doing that, click Next.
5. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Redmat Ransomware.

OR

Method 3 : Directly type ‘rstrui’ in the search box

1. Type ‘Rstrui’ in the search box present on the task bar. This will open the System restore dialog box.

Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.

How to prevent Redmat Ransomware from infecting your system

1. Keeping the Operating System Updated- In order to remain protected and avoid such infections, it is recommended to keep your Operating System updated by enabling the automatic update on your system. The systems with outdated or older versions of Operating System become an easy target for the attackers.
2. Resist clicking on spam emails – One of the major techniques used for malware distribution is forwarding spam emails to the user. The system gets infected as soon as the user clicks on the attachment. These mails appear to be genuine, so be aware and resist falling for these tricks.
3. Keep an eye on third party installations- It is quite important that you take due care while installing any third party applications for they are major source of such infections. Such malware programs come bundled with the free applications thereby requiring the user to remain cautious.
4. Regular periodical backup- In order to keep your data and files safe, it is recommended to take regular back up of all your data and files either on an external drive or cloud.
5. Use Anti-Virus Protection- We strongly recommend the use of antivirus protection/internet security in your PC like 360 Total Security, Kaspersky and Vipre  so that it remains safe.
6. Enable the Ad Blocker/Popup Blocker in your browser- Enabling the popup blocker/ ad blocker in your chosen browser will help you to stay protected from annoying adware.