A data-locking Trojan named the R44s Ransomware has emerged on the Web recently. IT would appear that this threat is a variant of the Ranion Ransomware.
Table of Contents
Propagation and Encryption
The authors of the R44s Ransomware may be spreading this Trojan using various means. The most popular infection vector in the distribution of ransomware threats is spam email campaigns. The attackers would target victims who would receive a fraudulent email containing a corrupted attachment. The fake email often claims to be sent by a government institution or a reputable company. The message in the email urges users to launch the attached file, which at first glance, looks like nothing more than a harmless document. However, opening the macro-laced attachment would expose your system to the file-encrypting Trojan. Creators of ransomware threats often use torrent trackers, malvertising campaigns, bogus application downloads, and other propagation methods to spread Trojans like the R44s Ransomware. The R44s Ransomware uses an encryption algorithm to lock the targeted user’s data. Upon locking a file, the R44s Ransomware will add a new extension to its name – ‘.r44s.’ Therefore, a file you had named ‘bright-light.mp4’ will be renamed to ‘bright-light.mp4.r44s.’
The .R44S virus shows all the hallmarks of a typical ransomware threat. It can infect Windows and Mac computers alike with no system being safe from infection. It affects all versions of Windows and Mac and even some versions of Linux. The ransomware enters computers through spam emails, fake links and malicious ads, trojans, spyware, and other similar infection methods. Even the most careful web browser may find themselves infected.
R44S can get on computers and control them from within with minimal effort. In particular, it encrypts files and prevents them from being accessed and read. If a user tries to access an encrypted file, they are reminded that their computer is locked. A ransom note explains how users can restore their computers and regain access to their files. It is dangerous to leave a computer in an infected state like this. Victims should take countermeasures as soon as possible.
How Did .R44S Get on My Computer?
Like other online threats, the .R44S ransomware can spread through payload droppers. A payload dropper triggers the script that starts the ransomware. The virus could also spread through social media or file-sharing websites and services. Freeware downloaded from the internet could contain viruses disguised as helpful software. If you’re interested in R44S, then you may want to look into the Ranion ransomware as the two are in the same family of viruses.
Once the virus infects a computer, R44S encrypts files and creates a ransom note. The note tells victims how they can restore their files by paying the ransom amount of bitcoin.
The Ransom Note
After completing the encryption process successfully, the R44s Ransomware will drop a ransom message in the shape of a note located in a file called ‘README_TO_DECRYPT_FILES.html.’ The attackers demand 1 Bitcoin (approximately $5,600 at the time of typing this post) in exchange for the decryption key the user needs to recover their files. However, they also state that the victim has seven days to complete the payment, or their decryption key will be erased, making it impossible for the user to recover the encrypted data. The attackers include instructions on how to obtain Bitcoin for users who are not sure how to do this. The authors of the R44s Ransomware demand to be contacted via email – ‘firstname.lastname@example.org.’
The R44s Ransomware ransom note reads like the following:
!!! YOUR FILES HAVE BEEN ENCRYPTED WITH RANSOMWARE !!!
The Key to Decrypt Your Files Will Be DELETED in 7 Days
Send Me 1 BITCOINS (You Have Only 7 Days From Now)
Bitcoin Address: 1X3eCf1JriycNiWwpNHyQamZS1pApE8XX
Buy Bitcoins On:
After Send Me an Email With Your ID: 5BCDA92B4517273FC662
I Will Send You the Key to Decrypt Your Files
The hackers say that if you pay the ransom amount, they will restore your files, which is how things usually go with this kind of ransomware. There is no guarantee that they will do that, though. There isn’t even a guarantee that this will clear the virus. The virus is built to alter the Windows Registry so that it remains on a computer. It can launch itself and come back whenever it wants. Even if you remove the virus and restore your files, it could still be hiding in the registry waiting to come back.
Files encrypted by the ransomware receive a random file extension and the file extension .R44s. The ransomware affects audio, images, documents, and video files. It can encrypt backups and connected devices too. In general, the ransomware targets and attacks files with the following extensions;
.txt, .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .ods, .jpg, .jpeg, .png, .bmp, .csv, .sql, .mdb, .db, .accdb, .sln, .php, .jsp, .asp, .aspx, .html, .htm, .xml, .psd, .cs, .java, .cpp, .cc, .cxx, .zip, .pst, .ost, .pab, .oab, .msg
One of the worst things the ransomware does is delete shadow volume copies of data. These shadow volumes allow a computer to restore broken and locked off files. Shadow volumes are what power file restoring programs and the System Recovery features of your computer. Without those copies, it becomes more difficult to restore data after cleaning out the virus.