R3tr0 Ransomware
A new variant belonging to the Dharma ransomware family is being used by cybercriminals to lock the data of their victims. The threat is tracked as R3tr0 Ransomware but can also be encountered as RETRO-ENCRYPTED. The malware is equipped with an uncrackable encryption routine that can affect all of the victim's important files - databases, archives, documents, images, etc.
Each encrypted file will also have its name changed drastically. The threat will first add an ID string specific for the particular victim. It will follow that with an email address under the control of the attackers - 'r3tr0crypt@tuta.io,' in this case. Finally, the locked files will have '.r3tr0' appended as a new file extension. As is typical for a Dharma-based threat, R3tr0 Ransomware will drop two ransom notes on the breached devices as an 'Info.hta' and 'info.txt' files.
The text file will contain a truncated version of the ransom note with users simply being directed towards contacting the two email addresses of the attackers. The full set of instructions is found inside the pop-up window generated from the .hta file. Here, the threat actors again reiterated their emails at 'r3tr0crypt@tuta.io' and 'r3tr0crypt@msgsafe.io.' They also warn their victims that renaming or trying to decrypt the data with third-party tools could permanently damage the data and render the files unrecoverable.
The full text of the ransom-demanding message is:
RETRO-ENCRYPTED
r3tr0
Don't worry, you can return all your files!
If you want to restore them, write to the mail: r3tr0crypt@tuta.io YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:r3tr0crypt@msgsafe.io
ATTENTION!
We recommend you contact us directly to avoid overpaying agents
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The instructions in the text file are:
all your data has been locked us
You want to return?
write email r3tr0crypt@tuta.io or r3tr0crypt@msgsafe.io
