What is a Reco file? A file with the .reco extension is a file that has been encrypted by Reco ransomware that similar to other ransomware (like Kuub or Boot). These security threats are also known as crypto viruses that use a hybrid encryption method in order to block users’ files. It’s not possible to open the files by simply changing the file extension. The photos, documents and music will be decrypted only if victims pay for the special code key that will decrypt these files.
Getting to the user’s personal computer, the Reco ransomware starts searching for files in all folders and recursively, and after their detection, locks up each of them using very strong hybrid encryption with a large key that completely blocks them and leads to their dysfunction. This ransomware virus is capable of encrypting various files like video materials, archives, web application-related files, drawings, photos, database and documents, as well as its destructive effects can be subjected to backups. Reco ransomware virus locks up almost of files, including common as:
.vtf, .jpeg, .hkx, .epk, .sid, .mpqge, .lrf, .kf, .x, .webp, .wp5, .ppt, .iwi, .png, .zip, wallet, .wmf, .arch00, .qdf, .bar, .pem, .xml, .xlsb, .wotreplay, .mddata, .2bp, .odm, .wb2, .crt, .odt, .rar, .vfs0, .wbk, .slm, .wgz, .bsa, .pak, .zip, .xlsx, .vpk, .mlx, .apk, .7z, .rwl, .cas, .indd, .t13, .wpe, .bc7, .x3d, .pst, .cr2, .docm, .ncf, .wav, .wma, .lvl, .tor, .xyw, .doc, .wp6, .webdoc, .mdb, .hvpl, .3ds, .crw, .r3d, .wmd, .wps, .ibank, .ws, .wpb, .wsc, .ysp, .vdf, .odp, .ntl, .yal, .layout, .dmp, .xmmap, .zdb, .cfr, .icxs, .py, .zabw, .sb, .wp, .iwd, .itl, .hkdb, .wbc, .xls, .itdb, .hplg, .csv, .itm, .raw, .wps, .srf, .kdb, .sie, .odc, .cdr, .xbplate, .p7b, .dba, .orf, .svg, .wcf, .zw, .nrw, .dxg, .wpd, .wbmp, .yml, .pfx, .pdd, .xbdoc, .upk, .xmind, .mdf, .menu, .erf, .z, .arw, .wmv, .tax, .xlsx, .lbf, .xlsm, .ff, .litemod, .wbz, .wpa, .pef, .rb, .pkpass, .xx, .txt, .bik, .xar, .t12, .js, .ybk, .eps, .sis, .xdl, .3dm, .kdc, .3fr, .sidn, .wpd, .wdb, .rim, .zif, .ai, .jpe, .ltx, .wri, .pptm, .xls, .mrwref, .xpm, .forge, .avi, .dng, .qic, .asset, .0, .map, .dazip, .xf, .bkp, .wmv, .cer, .wpt, .w3x, .dwg, .1st, .m4a, .odb, .flv, .mef, .psk, .x3f, .rofl, .jpg, .xll
Once on the PC, the Reco ransomware completely blocks the photos, documents and music so that the victim can not open them. In this case, the only option to unlock the files is to pay a ransom to cyber criminals who are Reco authors and offer a key to decrypt all affected files. The authors of ransomware have done everything possible to be sure that the victim will immediately determine what exactly is infected with its ransomware, as the affected personal files will have the .reco extension. Also, fraudsters leave a ransom message called ‘_readme.txt’ indicating the amount of money that victim need to make to decrypt the files.
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-iBpEhjntw2 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: gorentos@bitmessage.ch Reserve e-mail address to contact us: gerentosrestore@firemail.cc
Threat Summary
| Name | Reco |
| Type | Ransomware, File locker, Filecoder, Crypto virus, Crypto malware |
| Encrypted files extension | .reco |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch, gerentosrestore@firemail.cc |
| Ransom amount | $980 in Bitcoins |
| Symptoms | Encrypted documents, photos and music. Your photos, documents and music now have odd extensions that end with something like .locked, .crypted or .cryptor. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. New files on your desktop, with name variants of: ‘HOW_TO_DECRYPT.txt’, ‘DECRYPT.txt’ or ‘README.txt’. |
| Distribution methods | Email attachments. Drive-by downloads (crypto malware has the ability to infect the system simply by visiting a web page that is running harmful code). Social media, like web-based instant messaging programs. Misleading web pages. |
| Removal | To remove Reco ransomware use the removal guide |
| Decryption | To decrypt Reco ransomware use the steps |
If you came across this article, you were likely searching for a method on how to uninstall Reco ransomware, which does not involve paying the money. The goal of this blog post is to provide you with the necessary information that can allow you understand how delete ransomware and decrypt personal files that have been locked.
Quick links
How to remove Reco crypto virus
The Reco crypto virus can hide its components which are difficult for you to find out and delete completely. This can lead to the fact that after some time, the ransomware virus again infect your computer and encrypt your documents, photos and music. Moreover, I want to note that it’s not always safe to uninstall crypto malware manually, if you do not have much experience in setting up and configuring the MS Windows operating system. The best way to look for and remove Reco ransomware is to run free malicious software removal applications which are listed below.
Run Zemana AntiMalware (ZAM) to remove Reco virus
Zemana Anti-Malware (ZAM) is a malicious software scanner that is very effective for detecting and uninstalling Reco crypto malware. The steps below will explain how to download, install, and use Zemana Free to scan your system and remove crypto malware, adware, spyware, trojans, malicious software, worms for free.
- Download Zemana AntiMalware by clicking on the following link.
Zemana Anti Malware download - When the downloading process is finished, launch it and follow the prompts. Once installed, the Zemana will try to update itself and when this procedure is done, click the “Scan” button to begin checking your computer for the Reco crypto virus, other kinds of potential threats like malicious software and trojans.
- This procedure can take quite a while, so please be patient. When a threat is found, the number of the security threats will change accordingly. Wait until the the scanning is finished. You may remove items (move to Quarantine) by simply press “Next” button.
- The Zemana will delete Reco ransomware, other kinds of potential threats such as malware and trojans and add items to the Quarantine.
Run MalwareBytes AntiMalware to delete Reco virus
Remove Reco crypto virus manually is difficult and often the ransomware is not completely removed. Therefore, we suggest you to run the MalwareBytes which are fully clean your PC system. Moreover, this free application will allow you to remove malicious software, PUPs, toolbars and adware that your machine can be infected too.
- Click the link below to download MalwareBytes Anti Malware. Save it to your Desktop so that you can access the file easily.
Malwarebytes Anti-Malware - Once downloading is finished, close all apps and windows on your PC system. Open a folder in which you saved it. Double-click on the icon that’s named mb3-setup.
- Further, click Next button and follow the prompts.
- Once setup is complete, press the “Scan Now” button to begin scanning your computer for the Reco ransomware, other kinds of potential threats like malicious software and trojans. This task can take some time, so please be patient. While the MalwareBytes Free tool is checking, you may see number of objects it has identified as being affected by malware.
- When the scan is complete, MalwareBytes will display a screen which contains a list of malicious software that has been detected. You may delete threats (move to Quarantine) by simply click “Quarantine Selected”. After the cleaning procedure is done, you can be prompted to reboot your PC system.
The following video offers a step-by-step instructions on how to remove browser hijacker infections, adware software and other malicious software with MalwareBytes AntiMalware (MBAM).
If the problem with Reco is still remained
KVRT is a free removal tool that can be downloaded and run to remove ransomwares, adware, malware, PUPs, toolbars and other threats from your PC. You can use this utility to scan for threats even if you have an antivirus or any other security program.
- Download Kaspersky virus removal tool (KVRT) by clicking on the link below.
Kaspersky virus removal tool - Once the download is complete, double-click on the KVRT icon. Once initialization process is finished, you will see the Kaspersky virus removal tool screen.
- Press Start scan button to perform a system scan for the Reco ransomware virus . A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your computer and the speed of your PC system. When a malicious software, adware software or potentially unwanted applications are detected, the number of the security threats will change accordingly.
- As the scanning ends, KVRT will display you the results. Next, you need to click on Continue to start a cleaning procedure.
How to decrypt .reco files
To decrypt .reco files, we recommend that you use the free decryptor created by Emsisoft. This decryptor will allow decrypting files that were encrypted with different versions of Stop (djvu) ransomware, including ‘Reco’ variant.
Emsisoft decryptor for stop djvu
How to use Stop (djvu) decryptor to decrypt .reco files
- Visit the page linked below to download Mosk decryptor
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Download the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe
- Select the directory or drive where the encrypted files are located.
- Click the Decrypt button.
Unfortunately, it does not always help to decrypt files. If Stop (djvu) decryptor skips files without decrypting them, then we advise you to use alternative methods, which are listed below.
How to restore .reco files
Fortunately, there is little opportunity to recover photos, documents and music which have been encrypted by Reco crypto malware. Data restore software can help you! Many victims of various viruses, using the steps described below, were able to recover their files. In our guide, we advise using only free and tested utilities named PhotoRec and ShadowExplorer. The only thing we still want to tell you before you try to recover encrypted .reco files is to check your PC system for active crypto malware. In our article we gave examples of which malicious software removal tools can find and uninstall the Reco crypto malware.
Recover .reco files with ShadowExplorer
In some cases, you have a chance to recover your personal files which were encrypted by the Reco crypto malware. This is possible due to the use of the tool called ShadowExplorer. It is a free program that created to obtain ‘shadow copies’ of files.
Download the program using the link that you can find below. We recommend that you save the downloaded file to your desktop, so you can easily find it after the download is complete.
When the program download is complete, you will see a file called ShadowExplorer-0.9-portable.zip. The utility is in the archive, so you need to unzip the archive before starting the program. Right-click on this file and select the option called Extract All. Now open folder ShadowExplorerPortable.
In the list of files, find the ShadowExplorerPortable program and run it.
The main program window will open before you, as in the following example. The main window is divided into two parts – left and right. In the left part of the window, select the drive on which the encrypted files are located and select the date closest to the moment when the virus attacks your computer, encrypts the files and has changed the file extension to ‘kuub’. In the right part of the window, select the file you want to restore, then right-click on it.
A small pop-up menu will open before you, select Export in it. In the next window, select the directory where the recovered files will be saved.
What else do I want to say about the process of recovering encrypted files using the ShadowExplorer tool. Unfortunately, very often ransomware disable the Windows Previous Versions function and delete all saved copies of files. Therefore, after starting the ShadowExplorer, you may find that it is impossible to recover files. In this case, use another method of recovering encrypted kuub files, which is given below.
Restore .reco files with PhotoRec
Before a file is encrypted, the Reco ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your files using file recover apps such as PhotoRec.
Use the link below to download PhotoRec.
When the file is downloaded, in the folder where you saved it you will see a file with the name ‘testdisk-7.0.win_.zip’. This file is the archive that contains the PhotoRec. To use the PhotoRec, this archive must be unzipped. Right-click on the file and select the item called Extract All. Open the folder with the name testdisk-7.0, you will see a list of files similar to the one below.
In the contents of the directory that opens, find the file with the name QPhotoRec_Win and run it. You will be shown a window similar to the one in the following figure. This is the main PhotoRec window.
Here you need to select the physical disk and the disk partition (disk name) where the encrypted kuub files are located. Note that in section ‘File System Type’, option ‘FAT/NTFS’ must be selected. Now select the folder where the recovered files will be written. We recommend using a partition or drive that does not contain encrypted files. It is better to use external media. It is very important! Since the PhotoRec restores files that were deleted by the Windows OS, if you restore them to the same drive on which you are trying to find them, a situation may occur when the Windows simply physically overwrites them and you can no longer recover such files.
Next, at the bottom of the window, click File Formats. A small window opens that lists the types of files that the PhotoRec can find and restore.
Leave only those file types that you need to recover selected. For example, if you want to restore images of ‘jpg’ format, then select the file type ‘jpg’. Having decided which files to recover, click OK button.
Having completed the steps listed above, you have made all the settings necessary to search and restore encrypted kuub files. It remains only to click on the Search button. The process of searching and restoring files can take a very long time, be sure not to turn off the computer or restart it. During this process, the program will show the current search location (disk sector), how many and which files were found and restored.
When the file recovery process is complete, click the Quit button. Then open the directory that you previously selected as the place where the recovered files will be written.
Here you will see one or more directories with the name recup_dir (recup_dir.1, recup_dir.2, …). Check these folder to find the files you need. The file name may not be restored, so to find what you need, use file sorting, as well as the standard Windows OS search by file contents.
Finish words
I hope this information helped you remove Reco ransomware virus and restore the encrypted files. If you have any questions or you have information that will help readers of this article, then please add your comment below.
