R3f5s Ransomware

The R3f5s Ransomware is a newly spotted copy of the infamous Dharma Ransomware. The Dharma Ransomware has indisputably been one of the most widespread ransomware families of 2019 and 2020. Instead of creating a data-locker from scratch, many cyber crooks opt to borrow the code of an already established file-encrypting Trojan like the Dharma Ransomware.

Propagation and Encryption

File-locking Trojans, like the R3f5s Ransomware, are usually programmed to target a long list of filetypes to ensure maximum damage. The R3f5s Ransomware is very likely to target .png, .gif, .svg, .jpg, .jpeg, .mp3, .midi, .mid, .wav, .mov, .webm, .mp4, .doc, .docx, .txt, .pdf, .db, .rar, .zip and others. To lock the files it targets, the R3f5s Ransomware would use a strong encryption algorithm. The names of the affected files will be changed because the R3f5s Ransomware adds a' .id-<VICTIM ID>.[r3ad4@aol.com].r3f5s' extension. For example, a file that you named 'pizza-dough.txt' will be renamed to 'pizza-dough.txt.id-<VICTIM ID>.[r3ad4@aol.com].r3f5s.' Every victim has a uniquely generated ID, which helps the attackers differentiate between the affected users. Threats like the R3f5s Ransomware are often propagated via several popular infection vectors such as malvertising, bogus social media posts, fake software downloads and updates and torrent trackers. However, the most popular propagation method is likely phishing emails. These fraudulent emails would usually contain either a macro-laced file or a corrupted link.

The Ransom Note

In the next step of the attack, the R3f5s Ransomware would drop a ransom note on the breached host. The file that contains the note is named 'FILES ENCRYPTED.txt.' Cybercriminals who distribute file-lockers like the R3f5s Ransomware often use only capital letters when naming ransom notes to increase the user's chances of noticing the file. In the ransom note, the conmen ask to be contacted via email and provide two email addresses – ‘r3ad4@cock.li' and ‘r3ad4@aol.com.' It is likely that the attackers will disclose the ransom fee once they are contacted.

It is not recommended to cooperate with cybercriminals. Even if you pay the ransom sum, you may never receive the decryptor you need to recover your files. Instead, you should consider removing the R3f5s Ransomware from your computer with the assistance of a legitimate, up-to-date anti-spyware solution.