R Ransomware – Remove and Restore Files - How to, Technology and PC Security Forum | SensorsTechForum.com

R Ransomware – Remove and Restore Files

An article designed to help you delete R Ransomware virus from your computer and restore the files encrypted by this ransomware infection on your PC.

Documents, pictures, music, videos and other files are victims of the newly detected R Ransomware infection. The virus slithers onto the computers of victims via loaders and other malware and then encrypts the files on them, asking victims to pay the high amount of 2 BTC in a Ransomware.txt file to get the encrypted files restored back to their original state. In case your computer has been infected by R Ransomware, we advise you to read the following article and learn more about removing R Ransomware and restoring files encrypted by it.

Threat Summary


R Ransomware

Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals. Asks for 2 BTC payment to retrieve encrypted files.
SymptomsThe user may witness ransom notes and “Ransomware.txt” instructions linking to a TOR web page with further instructions.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by R Ransomware


Malware Removal Tool

User ExperienceJoin our forum to Discuss R Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

R Ransomware – How Is It Distributed

To be spread, the R Ransomware makes use of spamming software to send massive spam message campaigns to various e-mails all over the world. The messages may be of a deceitful origin, and they aim primarily to trick the victims using deceptive statements. The victims who are lured into opening malicious e-mail attachments or web links get their computers infected by an obfuscated loader which drops R Ransomware’s payload onto their computer.

Here are other ways by which the R Ransomware can be spread onto the computers of victims:

  • As a result of having a potentially unwanted program onto the user’s computer.
  • Via fake updates of programs.
  • Via fake installers uploaded on websites.
  • Via fake patches or game cracks uploaded in torrent sites.

R Ransomware – Infection Activity

After the R Ransomware causes an infection on the victim’s computer, the virus drops the payload. It might be located in the following Windows folders:

  • %AppDatA%
  • %Roaming%
  • %Local%
  • %LocalRow%
  • %SystemDrive%

The files may be from the following malicious file types:

→ .vbs, .dll, .tmp, .vbs, .bat, .exe

The names of those files may vary. They are usually completely random or imitate legitimate Windows processes. Once the virus has dropped them, R Ransomware may begin to modify the Windows Registry Editor of the infected computer. The modification is achieved by adding value strings and hence changing different settings. Usually, the following Windows registry sub-keys are targeted:

→ HKEY_CURRENT_USER\Control Panel\Desktop\
HKEY_USERS\.DEFAULT\Control Panel\Desktop\

Last but not least, R Ransomware may also delete the shadow copies from the machine which has been infected. These volume shadow copies can be eradicated by executing a script which quietly inserts and enters the following commands in Windows Command Prompt:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

R Ransomware’s Encryption Explained

For the encryption to work, the virus may cause the system to misbehave, so that the process is interrupted. Another scenario is if R Ransomware restarts the computer as an administrator and performs the encryption process on system boot. Whatever the case may be, the virus attacks different files that are widely used. Those particular types of files may be the following:


After the encryption is complete, the files seem damaged or corrupt and can no longer be opened. The R Ransomware infection then opens it’s ransom note which is named Ransomware.txt and looks like the following:

Image Source: Twitter

The ransom note leads to a Tor-based web page where the user sees the following extortion message written in poor English:

“Your files have been encrypted because of security holes in your systems. So that this does not happen again, and you need to increase the security of the environment in question by hiring a company that specializes in security. It is not just a virus that has become a secure machine. A backup is also required so that your data is not lost. I look for a security of their systems.
I will send you a private key so you can retrieve your files as soon as a donation to complete. If necessary, I will assist you with the procedure. I do not care about your files just with a donation. If your files are important to you, I’ll do an evaluation, otherwise, you can not retrieve them.

I will provide the private key for you to recover your files.
Plus you need to make a donation of 2 bitcoin.
You can check the price of bitcoin at the following site:
Only donation will be accepted by BITCOIN, but you have no idea how to buy btcoin on the internet, you can get help in the menu FAQ Click Here.
As a guarantee send up to three files encrypted as DOCS XLS XML JPG
With a maximum size of 2mb to make it easy you need to compress the files with winrar or zip.
You should upload the files to any upload site of your choice, you do not know of any that you can use the following site:
Choose the file and click “Upload File” for the uploaded file.
Copy the “Download Link” and inform the download link in the support box next to it. “

The Tor web page of the ransomware is well designed and even has a live customer support chat. In addition to this, there are also FAQs (Frequently Asked Questions):

The main purpose of the web page is to conduct the payment through it and offer the victim free decryption of several files, just to see if it works. For these cyber-criminals, “customer support” is important.

Remove R Ransomware and Restore Encrypted Files

For the removal of R Ransomware, we recommend following the removal instructions below. They are created to help you get rid of it’s malicious files by isolating the virus first and then looking for them. However, if you are unable to manually remove the malware, experts always advise using an advanced anti-malware program which will perform the removal automatically and protect your computer in the future as well.

After already having removed the R Ransomware from your computer, recommendations are to try and restore your files using several other tools, instead of paying the ransom. We have suggested some tools in step “2” under Automatic removal steps below. These tools are not fully effective, but they may help to restore at least some of the data.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share