Threat Database Ransomware RabboLock Ransomware

RabboLock Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 41
First Seen: June 20, 2017
Last Seen: July 1, 2020
OS(es) Affected: Windows

The RabboLock Ransomware is an encryption ransomware Trojan that is used to carry out attacks against computer users. The RabboLock Ransomware infects computers running the Windows operating system and, like most encryption ransomware Trojans, the RabboLock Ransomware is designed to take the victims' files hostage and then demand the payment of a ransom. The RabboLock Ransomware seems to target computer users located in Denmark specifically.

The RabboLock Ransomware will Mark the Encrypted Files

The RabboLock Ransomware carries out a sophisticated encryption attack that involves encrypting the victims' files with a strong encryption algorithm. The RabboLock Ransomware will mark the files compromised in the attack with the file extension '.R4bb0l0ck,' which is added to the end of each file's name. The most common way in which the RabboLock Ransomware is delivered to victims is through the use of corrupted spam email messages, which will often include Microsoft Word files containing bad scripts that download and install the RabboLock Ransomware on the victim's computer. The RabboLock Ransomware is based on HiddenTear, an open source ransomware engine that was first released in 2015 and that, since its release, has spawned countless ransomware variants, of which the RabboLock Ransomware is only one. The release of HiddenTear placed a sophisticated ransomware engine in the hands of anyone, allowing con artists with relatively few resources or without technical knowledge to create sophisticated, effective ransomware Trojans with relative ease.

How the RabboLock Ransomware Attack Works

The RabboLock Ransomware will scan its victim's computer, searching for the user-generated files, typically those associated with software like Microsoft Office, Adobe Acrobat, Photoshop, etc., as well as media files such as photos, sound files and video. The RabboLock Ransomware will encrypt these files using a combination of the AES 256 and RSA 1024 encryptions to make the affected files inaccessible. During its attack, the RabboLock Ransomware will connect to its Command and Control servers to receive configuration instructions, as well as to relay information about the infected computer. Unfortunately, the RabboLock Ransomware's encryption method is quite strong, and it is nearly impossible to recover files that have been encrypted in the RabboLock Ransomware attack currently. During its encryption process, the RabboLock Ransomware will identify the files encrypted in the attack with the file extension '.R4bb0l0ck,' making it simple to know which files have been compromised. The compromised files will not be accessible and will show up as blank icons in the Windows Explorer. The RabboLock Ransomware will display the following ransom note, written in Danish, on the infected computer:

'Bestanden zijn encrypted met RabboLock.
Stuur me een email (naar: en voldoe aan deze voorwaarden:
Ik wil staf privileges op het account dat ik zal doorgeven
bovendien wil ik 5000 kronen en 5000 diamanten op hetzelfde account + 5000 rares naar keuze verdeeld over andere accounts
Veel succes
PS: contacteer me binnen het uur anders is het te laat!'

The RabboLock Ransomware ransom note demands that the victims pay the con artists 5000 Danish Krones, approximately $750 USD, to receive the decryption key. One unique aspect of the RabboLock Ransomware is that it gives victims the option of purchasing 5000 Diamonds on, a clone of the website, which may be used by the people responsible for the attack (although it may be possible that ransomware creators are now experimenting with alternative payment methods).

Protecting Your Data from the RabboLock Ransomware

Unfortunately, the files that have been encrypted by the RabboLock Ransomware attack will no longer be recoverable. Because of this, it is especially important that computer users take steps to back up all data. Having file backups is the best protection against all ransomware Trojans, including the RabboLock Ransomware itself. If computer users can reconstruct their files from a backup copy, then they can simply restore their files without needing to pay the ransom, essentially removing all power the con artists hold over the victims in these cases. Backups, combined with a reliable security application, are the best protection against the RabboLock Ransomware and similar threats.


Most Viewed