REA Virus 🔐 (.REA Files) — How to Remove?

The Rea virus belongs to the Dharma ransomware family. Ransomware of such sort encrypts all user’s data on the PC (images, text files, excel sheets, music, videos, etc) and appends its own extension to every file, leaving the info.txt text files in each folder containing encrypted files.

Rea virus: what is known so far?

☝️ A scientifically accurate description for the Rea would be “a Dharma family ransomware malicious agent”.

The renaming will be done by the following pattern: id-xxxxxx.[contact-email].rea. As a part of encryption, a file entitled, for instance, “report.docx” will be turned into “report.docx.id-9ECFA84E.[[email protected]].rea”.

In each directory containing the encrypted files, a info.txt file will be created. It is a ransom money note. It contains information about the ways of contacting the racketeers and some other information. The ransom note usually contains a description of how to purchase the decryption tool from the tamperers. You can get this decryptor after contacting [email protected] through email. That is it.

Rea outline:

The info.txt document accompanying the Rea malware provides the following discouraging information:

all your data has been locked us
You want to return?
write email [email protected] or [email protected]

In the picture below, you can see what a directory with files encrypted by the Rea looks like. Each filename has the “.rea” extension appended to it.

How did my computer get infected with Rea ransomware?

There is a huge number of possible ways of ransomware injection.

Nowadays, there are three most exploited methods for criminals to have ransomware settled in your system. These are email spam, Trojan introduction and peer-to-peer networks.

If you open your mailbox and see letters that look like familiar notifications from utility services companies, delivery agencies like FedEx, web-access providers, and whatnot, but whose sender is strange to you, beware of opening those letters. They are most likely to have a malware item enclosed in them. So it is even more dangerous to download any attachments that come with emails like these.

Another thing the hackers might try is a Trojan file scheme. A Trojan is an object that gets into your computer disguised as something else. Imagine, you download an installer for some program you need or an update for some software. But what is unboxed reveals itself a harmful agent that compromises your data. Since the installation wizard can have any name and any icon, you’d better be sure that you can trust the source of the things you’re downloading. The best way is to use the software developers’ official websites.

As for the peer networks like BitTorrent or eMule, the danger is that they are even more trust-based than the rest of the Internet. You can never know what you download until you get it. Our suggestion is that you use trustworthy resources. Also, it is reasonable to scan the folder containing the downloaded objects with the antivirus as soon as the downloading is complete.

How to remove the Rea virus?

It is important to inform you that besides encrypting your data, the Rea virus will probably install Vidar Stealer on your machine to get access to credentials to various accounts (including cryptocurrency wallets). The mentioned program can derive your logins and passwords from your browser’s auto-filling data.

Often tamperers would decrypt some of your files to prove that they do have the decryption program. As Rea virus is a relatively new ransomware, safety measures engineers have not yet found a method to reverse its work. However, the anti-ransomware instruments are constantly updated, so the effective countermeasure may soon arrive.

Understandably, if the hackers succeed in encoding victim’s critical files, the desperate person will probably comply with their demands. Nevertheless, paying to racketeers gives no guarantee that you’re getting your data back. It is still dangerous. After obtaining the money, the racketeers may send a wrong decryption key to the injured party. There were reports of ransomware developers just disappearing after getting the ransom without even bothering to reply.

The best solution against ransomware is to have a system restore point or the copies of your critical files in the cloud disk or at least on an external drive. Surely, that might be insufficient. The most crucial thing could be that file you were working on when it all went down. Nevertheless, it is something. It is also advisable to scan your PC for viruses with the antivirus program after the OS is rolled back.

Rea is not the only ransomware of its kind, since there are other specimens of ransomware out there that act in the same manner. For instance, Nifr, Boty, Niwm, and some others. The two major differences between them and the Rea are the ransom amount and the method of encryption. The rest is the same: documents become encrypted, their extensions changed, ransom notes are found in every directory containing encrypted files.

Some lucky people were able to decrypt the blocked files with the help of the free software provided by anti-malware developers. Sometimes the hackers accidentally send the decryption code to the wronged in the ransom note. Such an extraordinary fail allows the user to restore the files. But of course, one should never expect such a chance. Make no mistake, ransomware is a bandits’ technology to pull the money out of their victims.

How сan I avert ransomware attack?

Rea ransomware doesn’t have a endless power, so as any similar malware.

You can protect your PC from its attack taking three easy steps:

• Ignore any emails from unknown mailers with unknown addresses, or with content that has likely no connection to something you are expecting (how can you win in a lottery without participating in it?). If the email subject is more or less something you are expecting, scrutinize all elements of the suspicious letter with caution. A hoax letter will always contain mistakes.
• Never use cracked or unknown software. Trojans are often distributed as a part of cracked software, most likely as a “patch” preventing the license check. But untrusted programs are difficult to distinguish from trustworthy software, as trojans sometimes have the functionality you seek. You can try to find information about this program on the anti-malware message boards, but the optimal solution is not to use such software.

Reasons why I would recommend GridinSoft²

Download Removal Tool.

Run the setup file.

Press “Install” button.

Once installed, Anti-Malware will automatically run.

Wait for the Anti-Malware scan to complete.

Click on “Clean Now”.

FAQ

🤔 Can I somehow access “.rea” files?

Unfortunately, no. You need to decipher the “.rea” files first. Then you will be able to open them.

🤔 The encrypted files are very important to me. How can I decrypt them quickly?

If the “.rea” files contain some really important information, then you probably have them backed up. If not, there is still a function of System Restore but it needs a Restore Point to be previously saved. All other solutions require time.

🤔 What should I do if the Rea malware has blocked my computer and I can’t get the activation key.

🤔 What can I do right now?

Many of the encoded files might still be within your reach

• If you sent or received your critical files through email, you could still download them from your online mail server.
• You might have shared photographs or videos with your friends or relatives. Just ask them to give those images back to you.
• If you have initially downloaded any of your files from the Web, you can try to do it again.
• Your messengers, social networks pages, and cloud storage might have all those files as well.
• Maybe you still have the needed files on your old PC, a portable device, phone, external storage, etc.

USEFUL TIP: You can employ data recovery programs⁴ to retrieve your lost information since ransomware encodes the copies of your files, removing the original ones. In the video below, you can learn how to recover your files with PhotoRec, but remember: you can do it only after you eradicate the ransomware itself with an antivirus program.

Also, you can contact the following official fraud and scam sites to report this attack:

• In the United States: On Guard Online;
• In Canada: Canadian Anti-Fraud Centre;
• In the United Kingdom: Action Fraud;
• In Australia: SCAMwatch;
• In New Zealand: Consumer Affairs Scams;
• In France: Agence nationale de la sécurité des systèmes d’information;
• In Germany: Bundesamt für Sicherheit in der Informationstechnik;
• In Ireland: An Garda Síochána;

To report the attack, you can contact local executive boards. For instance, if you live in USA, you can have a talk with FBI Local field office, IC3 or Secret Service.

1. My files are encrypted by ransomware, what should I do now?
2. Here’s the list of Top 10 Data Recovery Software Of 2023.