Remove R980 Ransomware and Restore Encrypted Files - How to, Technology and PC Security Forum |

Remove R980 Ransomware and Restore Encrypted Files


with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by R980 and other threats.
Threats such as R980 may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy


R980 is a ransomware virus, which encrypts databases, documents, photos and other files. It wants half a Bitcoin as a ransom payment, which amounts to nearly 330 US dollars. The files get encrypted with AES 256-bit and RSA4096 encryption algorithms according to the ransom message. To remove the ransomware and see how you can try to restore your files, you should read the article carefully.

Threat Summary

Short DescriptionThe ransomware encrypts your files, using AES 256-bit and RSA4096 encryption combined. Afterward, it shows you a ransom message
Symptoms The ransomware encrypts your files, while randomizing their names with different letters and symbols. It gives details on how to pay the ransom and asks for 330 US dollars as payment.
Distribution MethodSpam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by R980


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss R980.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

R980 Ransomware – Distribution

R980 ransomware could be distributed with the help of spam emails. Such emails often try reaching as many people as possible and try to infect their computer. The message found in the body of the email tries to convince users to open a link or an attachment. Opening the attachment activates the malicious payload or downloads a malware file. The file associated with this ransomware virus is called f.exe. A security researcher with a twitter handle @Bartblaze has found that the email service was used for sending a decrypter. The same service might be used as an entry point for the virus. Do not open any emails which seem suspicious.

Another possible distribution method for the R980 ransomware could be social media and file-sharing networks. This type of networks is what cyber crooks also use to spread their ransomware further and compromise computers on a larger scale. A message could come with the file claiming that is a useful program. Avoiding the infection is manageable if you are very careful with files, especially if they have an unknown origin or try to push free software which has an official site.

R980 Ransomware – Details

R980 ransomware is new, and it still might be in its test period, but has been spotted in the wild by the malware researcher Jaromir Horejsi. It is believed that the address from where it came from might be responsible for compromising computer systems and namely bookmyroom(.)pk.

R980 ransomware was intended as some kind of a project and has the following files on the above-mentioned website associated with it (as Horejsi has found):

  • bootstrap-timepicker.css
  • bootstrap-timepicker.js
  • bootstrap-timepicker.min.css
  • bootstrap-timepicker.min.js
  • db.txt
  • f.exe
  • keys.txt
  • x.php

As mentioned above, the f.exe executable file is the one that delivers the payload and does the damage. After file encryption you will see the following ransom note as an image:


You can see the full ransom message with complete instructions in a text file. Here is how that file looks like:


The file is called DECRYPTION INSTRUCTIONS.txt and it reads:


ALL of your documents, photos, databases and other important files have been encrypted with AES – 256 and RSA4096.You will not be able to recover your files without the private key which has been saved on our server.An antivirus can not recover your files.
To decrypt your files you have to pay .5 Bitcoins (BTC).
How to make payment?
1. Firstly, you have to buy Bitcoins (BTC). You can buy Bitcoins easily at the following site (you can skip this step if you already have Bitcoins).
2. Send .5 BTC to the following Bitcoin address – You don’t have to send the exact amount above. You have to send at least this amount for our systems to confirm payment.
3. Once you have paid to the above Bitcoin address we will give you a link to a decrypter that will fix your files.
It will be sent to a public email account we have created for you:
Please wait up to 24 hours for your decrypter to arrive.

From the note it becomes apparent that the ransom money which R980 asks as payment is 0.5 BitCoins or in the range of 330 US dollars.

Despite the sum of money that is asked, it is NOT advised to pay the ransom. Even if you manage to contact the cyber crooks you might not get your files back. Paying only supports owners of the ransomware and motivates them to continue doing this. Keep reading, to find out how you can try to recover your files.

The ransomware encrypts files and puts random letters and symbols as their names. For the encryption process, the AES 256-bit and RSA4096 algorithms are used, at least according to the ransom note.

File types that get encrypted by R980 ransomware are ones which people usually use the most:

  • Databases
  • Documents
  • Photos
  • Other important files

You can see that the R980 ransomware is detected by security software already, if you check the VirusTotal website:


R980 ransomware is not known if it deletes the Shadow Volume Copies of the Windows operating system. Read on below to find out a few methods you can try to recover your files.

Remove R980 Ransomware and Restore Encrypted Files

If your computer system is infected with the R980 ransomware, you should have some experience with removing malware. You should get rid of this ransomware before it infects somebody else on the network you use. The recommended action for you is to read the step-by-step instructions manual provided below, remove the ransomware efficiently and see if you can restore your files.

Note! Your computer system may be affected by R980 and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as R980.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove R980 follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove R980 files and objects
2. Find files created by R980 on your PC

Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by R980

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share