Remove R980 Ransomware and Restore Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Remove R980 Ransomware and Restore Encrypted Files

STF-R980-ransomware-project-ransom-note-message

R980 is a ransomware virus, which encrypts databases, documents, photos and other files. It wants half a Bitcoin as a ransom payment, which amounts to nearly 330 US dollars. The files get encrypted with AES 256-bit and RSA4096 encryption algorithms according to the ransom message. To remove the ransomware and see how you can try to restore your files, you should read the article carefully.

Threat Summary

NameR980
TypeRansomware
Short DescriptionThe ransomware encrypts your files, using AES 256-bit and RSA4096 encryption combined. Afterward, it shows you a ransom message
Symptoms The ransomware encrypts your files, while randomizing their names with different letters and symbols. It gives details on how to pay the ransom and asks for 330 US dollars as payment.
Distribution MethodSpam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by R980

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss R980.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

R980 Ransomware – Distribution

R980 ransomware could be distributed with the help of spam emails. Such emails often try reaching as many people as possible and try to infect their computer. The message found in the body of the email tries to convince users to open a link or an attachment. Opening the attachment activates the malicious payload or downloads a malware file. The file associated with this ransomware virus is called f.exe. A security researcher with a twitter handle @Bartblaze has found that the email service Mailinator.com was used for sending a decrypter. The same service might be used as an entry point for the virus. Do not open any emails which seem suspicious.

Another possible distribution method for the R980 ransomware could be social media and file-sharing networks. This type of networks is what cyber crooks also use to spread their ransomware further and compromise computers on a larger scale. A message could come with the file claiming that is a useful program. Avoiding the infection is manageable if you are very careful with files, especially if they have an unknown origin or try to push free software which has an official site.

R980 Ransomware – Details

R980 ransomware is new, and it still might be in its test period, but has been spotted in the wild by the malware researcher Jaromir Horejsi. It is believed that the address from where it came from might be responsible for compromising computer systems and namely bookmyroom(.)pk.

R980 ransomware was intended as some kind of a project and has the following files on the above-mentioned website associated with it (as Horejsi has found):

  • bootstrap-timepicker.css
  • bootstrap-timepicker.js
  • bootstrap-timepicker.min.css
  • bootstrap-timepicker.min.js
  • db.txt
  • f.exe
  • keys.txt
  • x.php

As mentioned above, the f.exe executable file is the one that delivers the payload and does the damage. After file encryption you will see the following ransom note as an image:

STF-R980-ransomware-project-ransom-note-message

You can see the full ransom message with complete instructions in a text file. Here is how that file looks like:

STF-R980-ransomware-project-ransom-note-full

The file is called DECRYPTION INSTRUCTIONS.txt and it reads:

!!!! ATTENTION !!!! YOUR FILES HAVE BEEN ENCRYPTED! !!!!

ALL of your documents, photos, databases and other important files have been encrypted with AES – 256 and RSA4096.You will not be able to recover your files without the private key which has been saved on our server.An antivirus can not recover your files.
hxxps://en.wikipedia.org/wiki/Advanced_Encryption_Standard
HOW TO GET YOUR FILES BACK:
To decrypt your files you have to pay .5 Bitcoins (BTC).
How to make payment?
1. Firstly, you have to buy Bitcoins (BTC). You can buy Bitcoins easily at the following site (you can skip this step if you already have Bitcoins).
https://www.coinbase.com/
https://coincafe.com/
https://bitquick.co/
2. Send .5 BTC to the following Bitcoin address – You don’t have to send the exact amount above. You have to send at least this amount for our systems to confirm payment.
BITCOIN ADDRESS: 1NXYHuHdM8WBHBBRbxQbXQ9L3ry2radGgr
3. Once you have paid to the above Bitcoin address we will give you a link to a decrypter that will fix your files.
It will be sent to a public email account we have created for you:
https://www.mailinator.com/inbox2.jsp?public_to=8569402d-3a74-4f27-91ba-d6408e0ff8fe
Please wait up to 24 hours for your decrypter to arrive.

From the note it becomes apparent that the ransom money which R980 asks as payment is 0.5 BitCoins or in the range of 330 US dollars.

Despite the sum of money that is asked, it is NOT advised to pay the ransom. Even if you manage to contact the cyber crooks you might not get your files back. Paying only supports owners of the ransomware and motivates them to continue doing this. Keep reading, to find out how you can try to recover your files.

The ransomware encrypts files and puts random letters and symbols as their names. For the encryption process, the AES 256-bit and RSA4096 algorithms are used, at least according to the ransom note.

File types that get encrypted by R980 ransomware are ones which people usually use the most:

  • Databases
  • Documents
  • Photos
  • Other important files

You can see that the R980 ransomware is detected by security software already, if you check the VirusTotal website:

STF-R980-ransomware-project-f-exe-malware-virustotal-virus-total-detections

R980 ransomware is not known if it deletes the Shadow Volume Copies of the Windows operating system. Read on below to find out a few methods you can try to recover your files.

Remove R980 Ransomware and Restore Encrypted Files

If your computer system is infected with the R980 ransomware, you should have some experience with removing malware. You should get rid of this ransomware before it infects somebody else on the network you use. The recommended action for you is to read the step-by-step instructions manual provided below, remove the ransomware efficiently and see if you can restore your files.

Manually delete R980 from your computer

Note! Substantial notification about the R980 threat: Manual removal of R980 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove R980 files and objects.
2. Find malicious files created by R980 on your PC.
3. Fix registry entries created by R980 on your PC.

Automatically remove R980 by downloading an advanced anti-malware program

1. Remove R980 with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by R980 in the future
3. Restore files encrypted by R980
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.