Reyptson targets Spanish victims running Windows OS and distributes itself by using the victim's Thunderbird email client to send malicious emails to the victim's contacts. After determining that the infected system does have Thunderbird installed, it retrieves the contacts and associated emails and begins sending spam designed to look like invoice inquiries using the subject line, "Folcan S.L. Facturación." The emails invite the recipients to click on a link to download an invoice; however, the link leads the a file named factura.pdf.rar that contains the Reyptson executable. Once the file is opened, the ransomware variant connects to a C2 server and sends system identification data to the attacker. It also downloads a cookie named UJBTFity to the infected system, although researchers currently do not know its purpose or function. After the data transfer has occurred, Reyptson proceeds to encrypt specific file types using AES-128, appending .Reyptson to their names. It also drops a ransom note named Como_Recuperar_Tus_Ficheros.txt in each affected folder. Lastly, it opens the PDF reader to fool victims into believing they opened a legitimate PDF and displays a lock screen-style ransom note containing payment instructions. The initial ransom payment demand for Reyptson is 200 Euros and it threatens to increase that amount to 500 Euros after 72 hours of non-payment.

  • Bleeping Computer provides more information on Reyptson, including IoCs, here.
  • The NJCCIC is not currently aware of any free decryption tools available for Reyptson.


Image Source: Bleeping Computer