Malware analysts have received reports of the R3store Ransomware attacks. This is an encryption ransomware Trojan that is based on HiddenTear, a ransomware platform that was made available to the public in 2015 and that has, since then, spawned numerous ransomware Trojans like the R3store Ransomware. This ransomware Trojan, the R3store Ransomware, was first observed on May 31, 2017. It is being delivered using spam email messages that use corrupted email attachments to download and install the R3store Ransomware onto the victim's computer. There are various other ways in which the R3store Ransomware can be delivered to the victims, though, including the use of exploit kits or by hacking into the victim's computers directly.
Table of Contents
There’s Nothing New on the R3store Ransomware Attack
The R3store Ransomware uses a typical encryption ransomware attack, encrypting the victim's files to demand the payment of a ransom. The R3store Ransomware marks the files it encrypts in its attack with the file extension '.r3store,' which is added to the end of each affected file's name. The R3store Ransomware runs on the victim's computer as an executable file named 'Restore.exe.' Once the R3store Ransomware has carried out its attack, most of the victim's files, including file types such as audio, video, text, databases, and numerous others, will no longer load. The R3store Ransomware uses a combination of the RSA and AES encryption to make the victim's files unusable. Once the R3store Ransomware has encrypted the target files, they will no longer work without the decryption key since the con artists hold it in their possession until the R3store Ransomware ransom is paid. The R3store Ransomware's ransom note details the situation, demanding a payment of $450 USD through BitCoins by displaying the following ransom note on the victim's computer:
'Your Files are encrypted. (Pictures,Docs,Music etc.). Please do not close this window as that will result in serious computer damage. If you wish to use your computer ever again and unlock your files, Please send $450 Dollars in bitcoins to the address at the bottem of the page.
Can i pay with anything else?
How to buy Bitcoins?
I paid, Give me my files back'
This ransom note is displayed in a program window named 'Restore,' as well as contained in a text document named 'READ_IT.txt' that is dropped on the infected computer's desktop. Computer users are advised to refrain from following the instructions in the R3store Ransomware ransom note. The people responsible for the R3store Ransomware attack cannot be trusted to hold up their end of the bargain and deliver the decryption key after the ransom is paid.
How the R3store Ransomware may be Delivered to Victims’ Computers
The R3store Ransomware can be delivered to victims through various methods. The most common way in which ransomware Trojans like the R3store Ransomware are delivered is through the use of corrupted spam email attachments. However, these threats also are common on peer-to-peer (P2P) networks or through poorly regulated software downloads. Websites also can be compromised to infect visitors' with threats like the R3store Ransomware through the use of exploit kits and unsafe redirect scripts.
Protecting Yourself from Threats Like the R3store Ransomware
The best defense against ransomware Trojans like the R3store Ransomware is to have file backups on an external device or the cloud. Being able to restore the encrypted files by simply deleting the encrypted file and copying over the backup copy undoes the R3store Ransomware attack completely. In fact, if enough computer users have file backups, then these attacks would disappear since they would no longer be practical or profitable. Apart from having file backups, learning to browse the Web safely and recognizing known tactics, along with an updated security product, are the best protection against threats like the R3store Ransomware.