Reyptson virus operates as crypto-threat capable of encrypting data with the AES cipher. After the process, the malware appends .REYPTSON file extension to the data. Since the virus is written in the Spanish users, the malware targets users of this country.
Furthermore, recent analysis has revealed the threat’s tendency to hack victims’ Thunderbird contact list and plague its contacts with fraudulent invoices messages. Now it clearly prefers Spanish users. They are expected to receive the biggest share of such emails. The pop-up and text file contain a ransom-demand message in Spanish stating that files are encrypted using the AES-128 algorithm and that victims must pay a ransom to restore them.
Reyptson includes the ability to distribute itself through a spam email campaign conducted from the victim’s computer. It does this by checking if the Thunderbird email client is installed, and if it is, it will attempt to read the victim’s email credentials and contact list. If it is able to retrieve the contacts and credentials, it will begin a spam campaign to send out fake invoices to the victim’s contact list. These spam emails will have a subject line of Folcan S.L. Facturación and will contain a fake invoice. This invoice is written in Spanish and tells the recipient to click on a link to download an invoice. When the recipient clicks on the link, it will download a file called factura.pdf.rar, which contains an executable. This executable will infect the user with the ransomware when it is opened.
Files associated with the Reyptson Ransomware:
Registry Entries associated with the Reyptson Ransomware:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Spotify Web Helper v1.0 %AppData%\Spotify\SpotifyWebHelper\Spotify.vbs
At this time there is no way to decrypt files encrypted by Reyptson, but if you have been using Max Total Security then you can restore your files from the back up. Very soon Max Total Security is launching a totla protection tool from any ransomware.