Remove R980 Ransomware and Restore Encrypted Files - How to, Technology and PC Security Forum |

Remove R980 Ransomware and Restore Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


R980 is a ransomware virus, which encrypts databases, documents, photos and other files. It wants half a Bitcoin as a ransom payment, which amounts to nearly 330 US dollars. The files get encrypted with AES 256-bit and RSA4096 encryption algorithms according to the ransom message. To remove the ransomware and see how you can try to restore your files, you should read the article carefully.

Threat Summary

Short DescriptionThe ransomware encrypts your files, using AES 256-bit and RSA4096 encryption combined. Afterward, it shows you a ransom message
Symptoms The ransomware encrypts your files, while randomizing their names with different letters and symbols. It gives details on how to pay the ransom and asks for 330 US dollars as payment.
Distribution MethodSpam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by R980


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss R980.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

R980 Ransomware – Distribution

R980 ransomware could be distributed with the help of spam emails. Such emails often try reaching as many people as possible and try to infect their computer. The message found in the body of the email tries to convince users to open a link or an attachment. Opening the attachment activates the malicious payload or downloads a malware file. The file associated with this ransomware virus is called f.exe. A security researcher with a twitter handle @Bartblaze has found that the email service was used for sending a decrypter. The same service might be used as an entry point for the virus. Do not open any emails which seem suspicious.

Another possible distribution method for the R980 ransomware could be social media and file-sharing networks. This type of networks is what cyber crooks also use to spread their ransomware further and compromise computers on a larger scale. A message could come with the file claiming that is a useful program. Avoiding the infection is manageable if you are very careful with files, especially if they have an unknown origin or try to push free software which has an official site.

R980 Ransomware – Details

R980 ransomware is new, and it still might be in its test period, but has been spotted in the wild by the malware researcher Jaromir Horejsi. It is believed that the address from where it came from might be responsible for compromising computer systems and namely bookmyroom(.)pk.

R980 ransomware was intended as some kind of a project and has the following files on the above-mentioned website associated with it (as Horejsi has found):

  • bootstrap-timepicker.css
  • bootstrap-timepicker.js
  • bootstrap-timepicker.min.css
  • bootstrap-timepicker.min.js
  • db.txt
  • f.exe
  • keys.txt
  • x.php

As mentioned above, the f.exe executable file is the one that delivers the payload and does the damage. After file encryption you will see the following ransom note as an image:


You can see the full ransom message with complete instructions in a text file. Here is how that file looks like:


The file is called DECRYPTION INSTRUCTIONS.txt and it reads:


ALL of your documents, photos, databases and other important files have been encrypted with AES – 256 and RSA4096.You will not be able to recover your files without the private key which has been saved on our server.An antivirus can not recover your files.
To decrypt your files you have to pay .5 Bitcoins (BTC).
How to make payment?
1. Firstly, you have to buy Bitcoins (BTC). You can buy Bitcoins easily at the following site (you can skip this step if you already have Bitcoins).
2. Send .5 BTC to the following Bitcoin address – You don’t have to send the exact amount above. You have to send at least this amount for our systems to confirm payment.
3. Once you have paid to the above Bitcoin address we will give you a link to a decrypter that will fix your files.
It will be sent to a public email account we have created for you:
Please wait up to 24 hours for your decrypter to arrive.

From the note it becomes apparent that the ransom money which R980 asks as payment is 0.5 BitCoins or in the range of 330 US dollars.

Despite the sum of money that is asked, it is NOT advised to pay the ransom. Even if you manage to contact the cyber crooks you might not get your files back. Paying only supports owners of the ransomware and motivates them to continue doing this. Keep reading, to find out how you can try to recover your files.

The ransomware encrypts files and puts random letters and symbols as their names. For the encryption process, the AES 256-bit and RSA4096 algorithms are used, at least according to the ransom note.

File types that get encrypted by R980 ransomware are ones which people usually use the most:

  • Databases
  • Documents
  • Photos
  • Other important files

You can see that the R980 ransomware is detected by security software already, if you check the VirusTotal website:


R980 ransomware is not known if it deletes the Shadow Volume Copies of the Windows operating system. Read on below to find out a few methods you can try to recover your files.

Remove R980 Ransomware and Restore Encrypted Files

If your computer system is infected with the R980 ransomware, you should have some experience with removing malware. You should get rid of this ransomware before it infects somebody else on the network you use. The recommended action for you is to read the step-by-step instructions manual provided below, remove the ransomware efficiently and see if you can restore your files.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share