RabboLock Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 80 % (High) |
| Infected Computers: | 41 |
| First Seen: | June 20, 2017 |
| Last Seen: | July 1, 2020 |
| OS(es) Affected: | Windows |
The RabboLock Ransomware is an encryption ransomware Trojan that is used to carry out attacks against computer users. The RabboLock Ransomware infects computers running the Windows operating system and, like most encryption ransomware Trojans, the RabboLock Ransomware is designed to take the victims' files hostage and then demand the payment of a ransom. The RabboLock Ransomware seems to target computer users located in Denmark specifically.
Table of Contents
The RabboLock Ransomware will Mark the Encrypted Files
The RabboLock Ransomware carries out a sophisticated encryption attack that involves encrypting the victims' files with a strong encryption algorithm. The RabboLock Ransomware will mark the files compromised in the attack with the file extension '.R4bb0l0ck,' which is added to the end of each file's name. The most common way in which the RabboLock Ransomware is delivered to victims is through the use of corrupted spam email messages, which will often include Microsoft Word files containing bad scripts that download and install the RabboLock Ransomware on the victim's computer. The RabboLock Ransomware is based on HiddenTear, an open source ransomware engine that was first released in 2015 and that, since its release, has spawned countless ransomware variants, of which the RabboLock Ransomware is only one. The release of HiddenTear placed a sophisticated ransomware engine in the hands of anyone, allowing con artists with relatively few resources or without technical knowledge to create sophisticated, effective ransomware Trojans with relative ease.
How the RabboLock Ransomware Attack Works
The RabboLock Ransomware will scan its victim's computer, searching for the user-generated files, typically those associated with software like Microsoft Office, Adobe Acrobat, Photoshop, etc., as well as media files such as photos, sound files and video. The RabboLock Ransomware will encrypt these files using a combination of the AES 256 and RSA 1024 encryptions to make the affected files inaccessible. During its attack, the RabboLock Ransomware will connect to its Command and Control servers to receive configuration instructions, as well as to relay information about the infected computer. Unfortunately, the RabboLock Ransomware's encryption method is quite strong, and it is nearly impossible to recover files that have been encrypted in the RabboLock Ransomware attack currently. During its encryption process, the RabboLock Ransomware will identify the files encrypted in the attack with the file extension '.R4bb0l0ck,' making it simple to know which files have been compromised. The compromised files will not be accessible and will show up as blank icons in the Windows Explorer. The RabboLock Ransomware will display the following ransom note, written in Danish, on the infected computer:
'Bestanden zijn encrypted met RabboLock.
Stuur me een email (naar: 7xeqjs+1scf2q9c551an4gpw@guerrillamail.com) en voldoe aan deze voorwaarden:
Ik wil staf privileges op het account dat ik zal doorgeven
bovendien wil ik 5000 kronen en 5000 diamanten op hetzelfde account + 5000 rares naar keuze verdeeld over andere accounts
Veel succes
PS: contacteer me binnen het uur anders is het te laat!'
The RabboLock Ransomware ransom note demands that the victims pay the con artists 5000 Danish Krones, approximately $750 USD, to receive the decryption key. One unique aspect of the RabboLock Ransomware is that it gives victims the option of purchasing 5000 Diamonds on rabbo.io, a clone of the habbo.com website, which may be used by the people responsible for the attack (although it may be possible that ransomware creators are now experimenting with alternative payment methods).
Protecting Your Data from the RabboLock Ransomware
Unfortunately, the files that have been encrypted by the RabboLock Ransomware attack will no longer be recoverable. Because of this, it is especially important that computer users take steps to back up all data. Having file backups is the best protection against all ransomware Trojans, including the RabboLock Ransomware itself. If computer users can reconstruct their files from a backup copy, then they can simply restore their files without needing to pay the ransom, essentially removing all power the con artists hold over the victims in these cases. Backups, combined with a reliable security application, are the best protection against the RabboLock Ransomware and similar threats.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.