Rastakhiz Ransomware Removal Guide

Do you know what Rastakhiz Ransomware is?

Have you discovered the malicious Rastakhiz Ransomware on your operating system? If you have, most likely, your personal files are already encrypted, and the “.RASTAKHIZ” extension is appended to all of their names. Although this infection targets specific files only found in specific folders only, you might discover that some files are corrupted. Unfortunately, the ransomware encrypts files using a complex encryption algorithm, and deciphering it manually is impossible. Even expert malware researchers cannot do that. If you have connected the dots already, your files are locked for good. So, what should you do about it? In fact, it is unlikely that there is anything you can do. The creator the ransomware wants you to believe that they can help if you fulfill their demands, but trusting cyber criminals is always a bad idea. All in all, even if you cannot recover your files, you MUST remove Rastakhiz Ransomware.

Rastakhiz Ransomware was built using the Hidden Tear open source code. This source-code has been employed by the creators of Onion3Cry Ransomware, FlatChestWare Ransomware, and hundreds of other threats alike. In the words of our malware research team, any 12-year-old with basic knowledge can build malware using this source-code. Our research team caught this threat before it was fully developed, and so there are still some questions we have to answer. For example, we cannot fully discuss the distribution of this threat, but, of course, it is safe to say that spam emails could be used, considering that this is the method most ransomware creators use to spread their creations. Regardless of which method is used to expose you to this malware, it should slither in without your notice. Once it does that, it silently scans Contacts, Desktop, Documents, Downloads, Favorites, Links, Music, OneDrive, Pictures, Saved Games, Searches, and Videos folders in the %USERPROFILE% directory (subfolders are not targeted). These are the folders you need to check when you discover Rastakhiz Ransomware.

The files Rastakhiz Ransomware targets have these extensions:

.001, .7-zip, .ace, .apk, .arj, .asp, .aspx, .avi, .bmp, .bz2, .cab, .c, .cs, .contact, .core, .cpp, .crproj, .csv, .dat, .db, .dll, .doc, .docx, .dwg, .exe, .f3d, .gzip, .htm, .html, .ico, .iso, .jar, .jpg, .lnk, .lzh, .mdb, .mkv, .mov, .mp3, .mp4, .mpeg, .mpg, .odt, .pdb, .pas, .pdf, .php, .png, .ppt, .pptx, .psd, .py, .rar, .rtf, .settings, .sln, .sql, .srt, .tar, .torrent, .txt, .uue, .xls, .xlsx, .xml, .xz, .z, .zip

The malicious Rastakhiz Ransomware works from %HOMEDRIVE%\rastakhiz\rastakh1z.exe – where it is copied after the initial launch – but that is not the only file created by this ransomware. According to our research, the infection should also create a file on Desktop named “#R3@D_M3#.txt”. The contents of this file should include a Bitcoin Address, 1Q5VprvKoBmPBncC7yZLURkcQ7FG9xnMKv, to which you should be asked to transfer a certain amount in Bitcoins. It was also found that the threat uses two email addresses – gsah5029@gmail.com and alihacker8001@gmail.com – to send the encryption key. One of them could be included in the ransom note as well. Overall, you should not pay attention to the information presented via this file because it was created to make you pay the ransom, and, in reality, that is not what you need to do because that will not help you get your files back. Nothing can help you.

Since Rastakhiz Ransomware is not yet complete, we cannot guarantee that the removal guide below will work in all cases. Of course, if more information is found after the threat is released, we will inform you about it as soon as possible. For now, it seems that you can delete Rastakhiz Ransomware by erasing the launcher and its copy. What if you cannot delete this threat manually? If you cannot, we advise installing an anti-malware program that could automatically erase all threats, including the devious ransomware. This truly is the best option you have because reliable anti-malware software is also irreplaceable when it comes to the protection of your operating system.

Remove Rastakhiz Ransomware

  1. Right-click the {random name}.exe file that is the launcher and select Delete.
  2. Delete the ransom note file called #R3@D_M3#.txt found on the Desktop.
  3. Launch Windows Explorer by tapping keys Win+E.
  4. Enter %HOMEDRIVE% into the bar at the top.
  5. Right-click and Delete the folder named rastakhiz with the launcher’s copy (rastakh1z.exe) inside.
  6. Empty Recycle Bin to get rid of the deleted components.
  7. Perform a full system scan using a reliable malware scanner to check if your system is clean.

In non-techie terms:

Rastakhiz Ransomware is a dangerous infection that was created to encrypt personal files so that you would be more cooperative when a ransom is requested. This ransom is requested with the help of a TXT file that is created as soon as the encryption process is completed. The malicious threat is meant to back you into a corner so that you would see no other option but to pay the ransom. The bad news is that you do not have other options, and paying the ransom is not an option either. Once the creator of the ransomware gets your money, they will disappear without providing you with a decryption tool or key that might be promised. Deleting Rastakhiz Ransomware manually can be very easy, but if that does not work for you, do not hesitate to install anti-malware software.