Select Page

Nov 22, 2023

Breaking the Mold: Halting a Hacker’s Code ep. 19 – A New Ransomware Variant Named ‘Retch’



Retch is a new ransomware variant first discovered in mid-August 2023. It encrypts files on compromised machines and leaves two ransom notes asking victims to pay a ransom for file decryption.

Target system:

Windows(R) Operating Systems (OS) 

Spreading ways:

Downloaded files, phishing emails containing malicious attachments, hidden within a Trojan file.


Encrypts data files, picture files, office documents, music, and many other kinds of files in the victim Windows PC or server, except files in the following directories:


“Program Files”

“Program Files (x86)”

The ransomware adds a “.retch” extension to encrypted files.

It generates a plain text file named “Message.txt” in every folder, with files that are already encrypted. In the same file, the attacker asks victims to pay Bitcoins for file decryption.

In addition, the attacker downloads another file on the Desktop labeled “HOW TO RECOVER YOUR FILES.txt” and asks victims to pay Bitcoin worth $1000 for file decryption. This ransom note has a contact email address and the attacker’s Bitcoin wallet address.

Already Known Retch File Hash Value:






Protect against Retch Ransomware

CloudVista-Cyber Threat Intelligence from Hillstone has already published Retch Ransomware information.

Retch Ransomware file signature has already been included in the latest Anti-Virus Signature database. Users need to update the Anti-Virus Signature database to version 2.3.231102 or above.

Figure 1. Hillstone CloudVista published information to users about this ransomware
Figure 2. Hillstone Network Firewall Anti-Virus signature version