“All your files are belong to us!” Virus – Remove + Restore Data

“All your files are belong to us!” Virus – Remove + Restore Data

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been created to explain what is the “RaRansomware” ransomware virus and how to remove it from your computer plus how you can restore files, encrypted by this variant of RaRansomware.

New variant of the notorious RaRansomware virus has been detected by security researchers. The malware aims to encrypt the files on the computers, infected by it shortly after which set a custom, often random file extension to the encoded files. The ransomware also drops a RaRansomware – Recovery instructions.html file which contains instructions on how to recover the encrypted files by paying ransom to the cyber-criminals. If you are one of the victims of the RaRansomware, we advise that you read the following article to learn how to remove it and how you can try and restore your files without paying ransom.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionRaRansomware encrypts the files on the infected computers and then extorts victims into paying ransom in order to get their files to run again.
SymptomsThe RaRansomware virus leaves the files with the randomly generated capital letters as file extension and drops a ransom note, called RaRansomware – Recovery instructions.html.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by RaRansomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss RaRansomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

RaRansomware – Information Database:

RaRansomware Virus – How Does It Spread

RaRansomware Virus – How Does It Spread

The RaRansomware virus is the type of ransomware virus which aims to slither past your computer’s defenses while the virus remains undetectable. The malicious .exe file of the RaRansomware virus is likely dropped as a result of infecting victims via various methods, such as:

  • Remote Desktop Protocol.
  • Malicious e-mail spam messages.
  • Malicious downloads.
  • Web injectors as a result of visiting a malicious site.
  • Botnets previously infected the victim’s computer.Malicious downloads (fake executables, cracks, patches, installers).

The most often used methods of infection which may be the ones used by RaRansomware are believed to be via malicious e-mail spam messages, that carry deceptive messages in them, similar to the example image below:

RaRansomware - Activity

RaRansomware – Activity Report

The RaRansomware may perform a set of malicious activities when it infects a computer, starting with dropping it’s malicious files on the victim’s computer. The files are located in the following Windows directories:

  • %Destkop%
  • %User Profile%
  • %Temp%
  • %AppData%

The malicious files of RaRansomware consist of the recovery instructions files, an executable which is for the payload and the payload executable which carries the same name as the extension, added to the encrypted files, for example if the name of the encrypted files is ending with .XVNAW, the malicious file is likely to be named XVNAW.exe. In total, the files associated with RaRansomware are the following:

→ RaRansomware – Recovery instructions.html
{file extension name}.exe

In the RaRansomware – Recovery instructions.html file are published the recovery instructions of the virus, claiming that the victim has 120 hours or 5 days to pay ransom to the cyber-criminals and communicate with them in a TOR-based web page. The ransom note has the following message to victims:

All your files are belong to us!
All your personal files, including, but not limited to:
Photos, videos, databases and office projects have been encrypted using a mix of two very strong cryptographic algorithms – AES-128 and RSA-1028. Original files have been overwritten, recovery tools and software will not help you.
The only way to recover your files, are to meet our demands.
Be warned, we won’t be able to recover your files if you start fiddling with them.
You have 120 hours (5 days) from this moment to send us payment, or you files will be lost in eternity.
To start the recovery process you need to download and install the Tor browser, which is easily done from their own home-page.
Once you have the Tor browser running you need to navigate to xxxx://TOR PAGE.to and then input your personal id displayed below.
Further payment instructions will be given once logged in.

The ransom note on the HTML web page looks like the following:

Furthermore, among the malicious activities of RaRansomware are also to possibly add registry value entries in the following Windows Registry sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In one or all of those sub-keys, the RaRansomware may add registry value with data in it which points to the actual location of the malicious files. Having this key set allows for the virus to automatically run alongside Windows login and the worse part is that you as a user won’t even see it coming.

Furthermore, the RaRansomware might also make sure that the encrypted files cannot be recovered using Windows File History by disabling the shadow copies on the affected computer via typing the following commands and running them in a script-based attack in Windows Command prompt:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

RaRansomware – Encryption

RaRansomware – Encryption

The encryption performed by RaRansomware is likely done with the aid of RSA + AES encryption combination, generating unique decryption keys for each type of file. The encryption procedure creates copies of the original file and these copies are the encrypted and no longer openable variants of the files with blocks of data replaced with data that is unreadable and makes the file no longer able to be opened. The original files are deleted and all the user sees of his important documents, images videos and other files is the file with a random file extension and without it’s original file icon, similar to what is shown below:

How to Remove RaRansomware and Restore Encrypted Files

If your computer has been infected by RaRansomware, it is recommended that you follow the instructions in this article and use the information In the activity report above to remove it manually, but only if you have the experience in doing this by yourself. If not, or for maximum effectiveness, be advised that security professionals do recommend to use an advanced anti-malware software, whose main goal is to help you get rid of this ransomware automatically and in the same time protect y our computer against any intrusions and malware in the future too.

If you want to restore files, encrypted by RaRansomware, direct decryption may not be available. But you can try out the alternative methods for file recovery underneath in step “2. Restore files, encrypted by RaRansomware” . They are not 100% guarantee you will restore all of your encrypted files, but with their aid, you might be able to get back at least some or most of your files, depending on the situation.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share