RekenSom ransomware

RekenSom ransomware – a crypto-malware asks for 0.015 BTC for file redemption

RekenSom ransomware
RekenSom ransomware is a file locking virus that is still in a development

RekenSom ransomware
RekenSom ransomware is a file locking virus that is still in a development

RekenSom ransomware, otherwise known as Ghack ransomware, is a file locking virus that was first spotted by security researchers in mid-March 2020. Just like any other malware of such type, it will encrypt pictures, videos, documents, and other data on the host system with the help of a strong encryption algorithm (AES and RSA)[1] and then demands a ransom for the decryption tool that would allow victims to access it once again. Besides adding an extension, the RekenSom virus also scrambles the names of files, making them unrecognizable.

Currently, there are two different versions of RekenSom ransomware – ope appending .RekenSom extension, while the other one – .som (in some cases, the malware will also delete files instead of encrypting them). After the data locking process, it will drop a pop-up window named “Form1,” which informs victims that they need to pay 0.015 Bitcoin in order to recover access to their data. Instead of providing an email address, cybercriminals behind RekenSom ransomware instead use Telegram for communication purposes (@Rekensom).

Name RekenSom ransomware
Type File locking virus, crypto-malware
Family  Cute/MyLittleRansomware > KRider
Encryption method

All non system files and non executables are appended in different ways, depending on version:

  • [randomstring].RekenSom
  • Encrypted[number_of_dashes].som
Related files Reken.exe, FinalReken.exe, GHack.exe, WindowsFormsApplication8.exe, secretAES.txt, secret.txt, sendBack.txt
Ransom note  First few samples of malware did not include a ransom note or showed a pop-up including just a numpad. The most recent variant (.som) delivers a pop-up window called “Form1” which explains the situation to victims in detail
Contact In the ransom note, crooks ask users to first pay the ransom and then contact them via Telegram @Rekensom
Ransom size 0.015 Bitcoin. According to crooks, if this payment will not be performed within 24 hours, decryption key will be deleted 
Bitcoin wallet 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX
Data recovery  Without backups, there is not a safe and 100% working method of data recovery. Paying cybercriminals is very risky, as they might never deliver the required decryption tool. You can find alternative approaches that might be able to help you to retrieve access to at least some of your files below. Before you attempt this, ensure you make a copy of all the locked data
Malware removal  To get rid of the infection, you should scan the machine with powerful anti-malware software
System fix In case Windows is malfunctioning after you eliminate the malware, repair virus damage with Reimage Reimage Cleaner Intego

While there is no RekenSom ransomware decryptor currently available that would help you recover your files for free, you should not rush to pay the ransom or contact the criminals. It is yet unclear what type of cybercriminals are behind this strain and whether they are willing to provide the required decryption tool after the payment is made. Instead, you should remove RekenSom ransomware and then attempt to retrieve your files using different methods that we list in our recovery section below.

If RekenSom ransomware removal is not performed, your data will be encrypted repeatedly. Nevertheless, it is also important to make a copy of files that were affected by malware first, as any type of action might permanently damage them. As for termination of the virus, you can employ anti-malware tools that recognize the infection under the following names:[2]

  • Generic.Ransom.Hiddentear.A.5F086186
  • MSIL.Trojan-Ransom.Cute.B
  • Ransom:MSIL/Rekensom.AA!MTB
  • HEUR:Trojan-Ransom.MSIL.Encoder.gen
  • Win32:Trojan-gen
  • A Variant Of MSIL/Filecoder.BQ, etc.

In case RekenSom ransomware termination affected your computer in negative ways, and you are experiencing lags, crashes, random reboots, BSODs, and similar issues, use repair software Reimage Reimage Cleaner Intego to fix virus damage at once.

RekenSom ransomware detection rate
RekenSom ransomware can be stopped with the help of many powerful anti-malware programs

RekenSom ransomware detection rate
RekenSom ransomware can be stopped with the help of many powerful anti-malware programs

RekenSom was still in development

It is believed that RekenSom ransomware stems from an old malware family – KRider, although its initial actions pointed at the fact that it was still under active development. First samples of the malware that were spotted in the wild did not provide any ransom note. Later on, cybercriminals added a lockscreen that would only include a number pad – allegedly where some type of code should be inserted. Nevertheless, no contact info was provided, so there was no way of finding out what the password was. Additionally, the first few samples of the RekenSom virus only encrypted data on the desktop.

Typically, ransomware uses a secure encryption algorithm (either symmetric or asymmetric, or a combination of those) to lock all data on the device, and assigns each victim with a unique ID. This identifier is then sent over to the Command $ Control server, along with the decryption key that is needed to unlock files. RekenSom ransomware failed to contact its servers and deliver the key at first.

Finally, with the .som variant of RekenSom ransomware, a meaningful ransom note was found – named Form1. It informed users that their files have been encrypted with the RSA-2048 algorithm and that users only have 48 hours to deliver the payment of 0.015 BTC to the attackers. The ransom note states:

What happened to my files?
Your personal files, including your photos, documents, videos and other important files on this computer, have been encrypted with RSA-2048, a strong encryption algorithm. RSA algorithm generates a public key and a private key for your computer. The public key was used to encrypt your files a moment ago. The private key is necessary for you to decrypt and recover your files. Wm, your private key is stored on our secret Internet server. And there is no doubt that no one can recover your files without your private key.

How to decrypt my files?
To decrypt and recover your files, you have to pay 0.015 BTC (Bitcoin) for the private key and decryption service. Note that you ONLY have 24 hours to complete your payment. If your payment is not completed within time limit, your private key will be deleted automatically by our server. All your files will be permanently encrypted and nobody can recover them. Therefore, it is advised that you’d better not waste your time, because there is no other way to recover your files except making a payment

How to pay for my private key?

How to pay for my private key There are three steps to make a payment and recover your files.
1. For the security of transactions, all the payment must be completed via Bitcoin network This, you need to exchange some money to 0.015 Bitcoin, and then send it to the following receiving address:

For futher information about BTC, please refer to the net “Payment Tab”.
2. After making a payment with BTC, please send your personal ID to out TELEGRAM: @Rekensom

Your personal ID:

3. You will recieve a decrypt key to recover all your files
please keep checking your TELEGRAM.



WARNING: If you close this window your files will be deleted for ever.
just warning you

As evident, crooks claim that the decryption key will be deleted if the demands are not fulfilled in time – this tactic makes users act more quickly rather than think of other methods of retrieving data. Indeed, currently, there is no decryption tool that would recover data locked by RekenSom virus for free, but paying criminals is very risky. Hence, try using alternative methods we provide below instead.

RekenSom ransomware virus
RekenSom ransomware is malware that uses AES + RSA to lock all files on the infected system

RekenSom ransomware virus
RekenSom ransomware is malware that uses AES + RSA to lock all files on the infected system

Before encrypting files, RekenSom ransomware also performs a variety of changes to the Windows machine, such as modifications to the registry database, deletion of Shadow Volume Copies, insertion of malicious files, etc. In fact, the malware has a module that allows the attackers to steal information from the computer. Thus, never type anything or visit online banking, social media, or similar sites that require you using your personal details, as they could be stolen by cybercriminals behind RekenSom.

Threat actors can employ multiple different methods to deliver ransomware to victims

Malware delivery methods vary – it highly depends on the business model operated by crooks. For example, one of the most prominent ransomware families Djvu is distributed via software cracks and pirated software installers exclusively – it manages to infect hundreds of users daily. In the meantime, other strains such as Nemty/Nefilim or Dharma use multiple attack vectors[3] to infect victims worldwide.

Since new ransomware samples emerge almost every day, it is not always known what the main distribution tactic is. Therefore, to protect yourself from the most devastating malware type around, keep in mind the following things:

  • Watch out for spam emails – attachments or obfuscated hyperlinks may be infectious so ensure that the email is legitimate first;
  • Equip your computer and networks with reputable anti-malware software with real-time protection feature;
  • Patch your operating system and the installed programs as soon as the updates are released;
  • Use strong passwords to protect your accounts – especially Remote Desktop connection (while using it, employ a VPN);
  • Never download software cracks/keygens/loaders, etc.;
  • Backup your most important files regularly – this could prevent most of the negative consequences of the infection!

Finally, the most important thing is to be careful and act responsibly when browsing the web and checking the email. If in doubt – do not enter the site, do not click on links, and seek help on tech forums or security blogs instead.

Terminate RekenSom virus infection and only them attempt to recover data

Malicious actors behind the RekenSom virus claim that you will not be able to recover data if you close the pop-up window “Form1” that shows the timer. Therefore, it is important not to perform any actions before copying the encrypted data over to a secure environment where the malware will no longer be capable of destroying it. Thus, use a USB flash driver or a virtual drive like Dropbox to make a copy of your files. Then, proceed with RekenSom ransomware removal (note that this is only applicable to victims that do not have backups to recover data from).

RekenSom ransomware encrypted files
To recover data encrypted RekenSom virus, crooks ask to pay 0.015 Bitcoin

RekenSom ransomware encrypted files
To recover data encrypted RekenSom virus, crooks ask to pay 0.015 Bitcoin

To remove RekenSom ransomware from your machine, you should employ a reputable anti-malware program of your choice. In case the virus is tampering with it, access Safe Mode with Networking and perform a scan from there – you can find the instructions on how to do that below. Finally, use alternative methods to recover your data, although keep in mind that they might not always be successful, unfortunately.

Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

This entry was posted on 2020-03-19 at 07:16 and is filed under Ransomware, Viruses.