A new ransomware type of trojan horse has been reported to affect an increasing number of online users, encrypting their files with the .rdm extension. Affected users report that renaming the files back to their original extension and removing the .rdm extension does not work and upon opening the files seem corrupted. The threat is named Radamant ransomware by researchers and it is strongly advisable to back up your data in case it starts spreading on a massive scale. In case you have been affected by the ransomware, it is advisable to immediately disconnect the computer from your network and follow the instructions after this article to get rid of this ransomware and try recovering your data.
|Name||Radamant Ransomware Kit|
|Short Description||Encrypts user files requesting 5 BTC to restore the data back to working state.|
|Symptoms||The user may witnes his files becoming corrupt after a restart of his computer. The files have the .rdm file extension.|
|Distribution Method||Believed to be spread via an exploit kit sent out by either malicious links or attachments in e-mail messages or other spam.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Radamant Ransomware Kit|
|User Experience||Join our forum to follow the discussion about Radamant Ransomware Kit.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Radamant Ransomware – How Did I Get It
Similar to the 4th version of Cryptowall Ransomware, the cyber-threat may spread via spam e-mails containing either malicious web links in them that may redirect and cause a drive-by download or malicious mail attachments. The email message may resemble an official email by PayPal, eBay or some other reputable service the user may have a registration in and this increases the likeliness of someone clicking on the link/file.
Radamant Ransomware – More about It
Once downloaded and started on the user PC, the ransomware is reported to create the following registry entries:
Furthermore, it is believed to create these files that are associated with the registries:
What is specific about this ransomware is that it does not encrypt data immediately. Instead after the system reboots, the cyber-threat begins to scan for new files and encrypt them with the .RDM file extension and a strong AES-256 bit encryption algorithm.
So ,we advise you NOT to restart your computer before removing this nasty threat or save any new files of the following file extensions in it:
→“1cd, dbf, dt, cf, cfu, mxl, epf, kdbx, erf, vrp, grs, geo, st, pff, mft, efd, 3dm, 3ds, rib, ma, sldasm, sldprt, max, blend, lwo, lws, m3d, mb, obj, x, x3d, movie.byu, c4d, fbx, dgn, dwg, 4db, 4dl, 4mp, abs, accdb, accdc, accde, accdr, accdt, accdw, accft, adn, a3d, adp, aft, ahd, alf, ask, awdb, azz, bdb, bib, bnd, bok, btr, bak, backup, cdb, ckp, clkw, cma, crd, dacpac, dad, dadiagrams, daf, daschema, db, db-shm, db-wal, db2, db3, dbc, dbk, dbs, dbt, dbv, dbx, dcb, dct, dcx, ddl, df1, dmo, dnc, dp1, dqy, dsk, dsn, dta, dtsx, dxl, eco, ecx, edb, emd, eql, fcd, fdb, fic, fid, fil, fm5, fmp, fmp12, fmpsl, fol, fp3, fp4, fp5, fp7, fpt, fpt, fzb, fzv, gdb, gwi, hdb, his, ib, idc, ihx, itdb, itw, jtx, kdb, lgc, maq, mdb, mdbhtml, mdf, mdn, mdt, mrg, mud, mwb, s3m, myd, ndf, ns2, ns3, ns4, nsf, nsf, nv2, nyf, oce, odb, oqy, ora, orx, owc, owg, oyx, p96, p97, pan, pdb, pdb, pdb, pdm, phm, pnz, pth, pwa, qpx, qry, qvd, rctd, rdb, rpd, rsd, sbf, sdb, sdb, sdb, sdf, spq, sqb, stp, sql, sqlite, sqlite3, sqlitedb, str, tcx, tdt, te, teacher, tmd, trm, udb, usr, v12, vdb, vpd, wdb, wmdb, xdb, xld, xlgc, zdb, zdc, cdr, cdr3, ppt, pptx, 1st, abw, act, aim, ans, apt, asc, ascii, ase, aty, awp, awt, aww, bad, bbs, bdp, bdr, bean, bib, bna, boc, btd, bzabw, chart, chord, cnm, crd, crwl, cyi, dca, dgs, diz, dne, doc, doc, docm, docx, docxml, docz, dot, dotm, dotx, dsv, dvi, dx, eio, eit, email, emlx, epp, err, err, etf, etx, euc, fadein, faq, fb2, fbl, fcf, fdf, fdr, fds, fdt, fdx, fdxt, fes, fft, flr, fodt, fountain, gtp, frt, fwdn, fxc, gdoc, gio, gio, gpn, gsd, gthr, gv, hbk, hht, hs, htc, hwp, hz, idx, iil, ipf, jarvis, jis, joe, jp1, jrtf, kes, klg, klg, knt, kon, kwd, latex, lbt, lis, lit, lnt, lp2, lrc, lst, lst, ltr, ltx, lue, luf, lwp, lxfml, lyt, lyx, man, map, mbox, md5txt, me, mell, min, mnt, msg, mwp, nfo, njx, notes, now, nwctxt, nzb, ocr, odm, odo, odt, ofl, oft, openbsd, ort, ott, p7s, pages, pfs, pfx, pjt, plantuml, prt, psw, pu, pvj, pvm, pwi, pwr, qdl, rad, readme, rft, ris, rng, rpt, rst, rt, rtd, rtf, rtx, run, rzk, rzn, saf, safetext, sam, scc, scm, scriv, scrivx, sct, scw, sdm, sdoc, sdw, sgm, sig, skcard, sla, slagz, sls, smf, sms, ssa, strings, stw, sty, sub, sxg, sxw, tab, tdf, tdf, tex, text, thp, tlb, tm, tmd, tmv, tmx, tpc, trelby, tvj, txt, u3d, u3i, unauth, unx, uof, uot, upd, utf8, unity, utxt, vct, vnt, vw, wbk, wbk, wcf, webdoc, wgz, wn, wp, wp4, wp5, wp6, wp7, wpa, wpd, wpd, wpl, wps, wps, wpt, wpw, wri, wsc, wsd, wsh, wtx, xbdoc, xbplate, xdl, xdl, xlf, xps, xwp, xwp, xwp, xy3, xyp, xyw, ybk, yml, zabw, zw, 2bp, 0,36, 3fr, 0,411, 73i, 8xi, 9png, abm, afx, agif, agp, aic, albm, apd, apm, apng, aps, apx, art, artwork, arw, arw, asw, avatar, bay, blkrt, bm2, bmp, bmx, bmz, brk, brn, brt, bss, bti, c4, cal, cals, can, cd5, cdc, cdg, cimg, cin, cit, colz, cpc, cpd, cpg, cps, cpx, cr2, ct, dc2, dcr, dds, dgt, dib, dicom, djv, djvu, dm3, dmi, vue, dpx, wire, drz, dt2, dtw, dvl, ecw, eip, erf, exr, fal, fax, fil, fpos, fpx, g3, gcdp, gfb, gfie, ggr, gif, gih, gim, gmbck, gmspr, spr, scad, gpd, gro, grob, hdp, hdr, hpi, i3d, icn, icon, icpr, iiq, info, int, ipx, itc2, iwi, j, j2c, j2k, jas, jb2, jbig, jbig2, jbmp, jbr, jfif, jia, jng, jp2, jpe, jpeg, jpg, jpg2, jps, jpx, jtf, jwl, jxr, kdc, kdi, kdk, kic, kpg, lbm, ljp, mac, mbm, mef, mnr, mos, mpf, mpo, mrxs, myl, ncr, nct, nlm, nrw, oc3, oc4, oc5, oci, omf, oplc, af2, af3, ai, art, asy, cdmm, cdmt, cdmtz, cdmz, cdt, cgm, cmx, cnv, csy, cv5, cvg, cvi, cvs, cvx, cwt, cxf, dcs, ded, design, dhs, dpp, drw, drw, dxb, dxf, egc, emf, ep, eps, epsf, fh10, fh11, fh3, fh4, fh5, fh6, fh7, fh8, fif, fig, fmv, ft10, ft11, ft7, ft8, ft9, ftn, fxg, gdraw, gem, glox, gsd, hpg, hpgl, hpl, idea, igt, igx, imd, ink, lmk, mgcb, mgmf, mgmt, mt9, mgmx, mgtx, mmat, mat, otg, ovp, ovr, pcs, pfd, pfv, pl, plt, pm, vrml, pmg, pobj, ps, psid, rdl, scv, sk1, sk2, slddrt, snagitstamps, snagstyles, ssk, stn, svf, svg, svgz, sxd, tlc, tne, ufr, vbr, vec, vml, vsd, vsdm, vsdx, vstm, stm, vstx, wmf, wpg, vsm, vault, xar, xmind, xmmap, yal, orf, ota, oti, ozb, ozj, ozt, pal, pano, pap, pbm, pc1, pc2, pc3, pcd, pcx, pdd, pdn, pe4, pe4, pef, pfi, pgf, pgm, pi1, pi2, pi3, pic, pict, pix, pjpeg, pjpg, pm, pmg, png, pni, pnm, pntg, pop, pp4, pp5, ppm, prw, psd, psdx, pse, psp, pspbrush, ptg, ptx, ptx, pvr, px, pxr, pz3, pza, pzp, pzs, z3d, qmg, ras, rcu, rgb, rgb, rgf, ric, riff, rix, rle, rli, rpf, rri, rs, rsb, rsr, rw2, rwl, s2mv, sai, sci, sct, sep, sfc, sfera, sfw, skm, sld, sob, spa, spe, sph, spj, spp, sr2, srw, ste, sumo, sva, save, ssfn, t2b, tb0, tbn, tex, tfc, tg4, thm, thumb, tif, tiff, tjp, tm2, tn, tpi, ufo, uga, usertile-ms, vda, vff, vpe, vst, wb1, wbc, wbd, wbm, wbmp, wbz, wdp, webp, wpb, wpe, wvl, x3f, y, ysp, zif, cdr4, cdr6, rtf, cdrw, jpeg, djvu, pdf, ddoc, css, pptm, raw, cpt, gif, jpeg, jpg, jpe, jp2, pcx, pdn, png, psd, tga, tiff, tif, hdp, xpm, ai, cdr, ps, svg, sai, wmf, emf, ani, apng, djv, flc, fb2, fb3, fli, mng, smil, svg, mobi, swf, html, xls, xlsx, csv, xlsm, ods, xhtm”
What is more, Bleeping Computer reports that besides affecting the abovementioned extensions the ransomware may also demand around 230$ or 5 bitcoins from users in order to restore their data back to its working state. Users report that after restarting their computer they begin to see their files infected and the following ransom message to appear:
What is more, besides being activated via a malicious .tmp file which is believed to be run by an exploit kit, the ransomware is also reported to have the ability to delete Shadow Volume Copies in Windows, leaving users without backup. This is reported to be done in Windows Command Prompt most likely via a script inserting the administrative command to delete all shadow copies permanently.
Finally, the ransomware is strongly believed to use two domains, called crazytrevor(.)com and crazytrevor(.)in that most likely have instructions and details on how and where to pay the ransom money.
Removing Radamant Ransomware Completely
Removing such cyber-threat from your computer may prove to be tricky. This is because Radamant may contain other .dll, .tmp files as well as registry entries located in different location and manual removal may not be a good solution. In order to eradicate this malware it is recommended to use an advanced anti-malware software which hunts for all associated files and eradicates them. What is more, it is advisable to follow the instructions below in order to conduct the removal process safely.
Restoring Your Files
Unfortunately, this ransomware changes the sting value of the file sit encrypts to a wrong one, adding a unique key for each file. What is worse, the files are encrypted with a strong AES algorithm and their direct decryption is not possible according to the latest research.
To restore your data, your best bet is to check again for shadow volume copies using this software:
If this method does not work, EMSISoft have provided a decryptor for .RDM files encrypted by Radamant Ransomware:
The other method of restoring your files is by trying to bring back your files via data recovery software. Here are some examples of data recovery programs:
- Stellar Phoenix Data Recovery Technicians License(Pro version with more features)
- Stellar Phoenix Windows Data Recovery
- Stellar Phoenix Photo Recovery