Threat Database Ransomware RanDsomeWare Ransomware

RanDsomeWare Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 495
First Seen: July 27, 2017
Last Seen: November 6, 2021
OS(es) Affected: Windows

The RanDsomeWare Ransomware is a ransomware encryption Trojan that also is known as the RDW Ransomware. Malware analysts first received reports of the RanDsomeWare Ransomware attacks in July 2017. It seems that the people responsible for the RanDsomeWare Ransomware attack are relatively new. As with numerous other Trojans active today, it seems that the most common way of distributing the RanDsomeWare Ransomware is through corrupted Microsoft Word documents delivered via spam email messages. These files may have macros enabled, which download and install the RanDsomeWare Ransomware onto the victim's computer. Analyzed versions of the RanDsomeWare Ransomware isolated by malware researchers have revealed that the RanDsomeWare Ransomware may have been intended as an educational project rather than for a profit threat attack.

Another 'Educational Project' that may End Up Bad

Using macro-enabled Word documents has been one of the most common ways of delivering ransomware Trojans in 2017. When the victim of the RanDsomeWare Ransomware attack is about to allow the corrupted macro to run (after downloading and opening the corrupted email attachment), the RanDsomeWare Ransomware will display the following warning message on the victims' computer, fully warning the victims that they are about to download and run a ransomware Trojan:

'ATTENTION!
YOU ARE ABOUT TO RUN A RANSOMWARE, IF
YOU DONT KNOW WHAT IT IS THEN CLICK HERE
IF YOU DID NOT INTEND TO RUN THIS CLICK
EXIT IMMEDIATELY. ONLY RUN THIS IN A
VIRTUAL MACHINE. I AM NOT RESPONSIBLE
FOR ANY LOSS OF DATA
IF YOU INTEND TO RUN THIS, CLICK GRANT TO
GRANT REQUIRED PERMISSIONS
[Grant|button]
[Exit|button]'

Clicking the 'Exit' button does shut down the installation of the RanDsomeWare Ransomware. The 'Grant' button, on the other hand, allows the RanDsomeWare Ransomware to be installed on the affected computer. Once the RanDsomeWare Ransomware has been granted permission, it will behave like many other ransomware Trojans; the RanDsomeWare Ransomware will scan the victim's computer for certain file types, especially the user-generated ones such as media, images, audio, video, databases, spreadsheets, text files, eBooks and numerous others. The RanDsomeWare Ransomware will use a strong encryption algorithm to make the files inaccessible and then add the file extension '.RDWF' to the end of each affected file's name.

Recovering Your Files After a RanDsomeWare Ransomware Attack

Unfortunately, the files encrypted by the RanDsomeWare Ransomware attack cannot be recovered without the decryption key, which is held by the RanDsomeWare Ransomware's creators. After the RanDsomeWare Ransomware encrypts its victim's files, the RanDsomeWare Ransomware will display the following ransom message in a notification window:

'YOU HAVE BEEN INFECTED WITH RDW

TO GET UR FILES BACK,
Click NEXT or enter a DECRYPTION KEY
[TEXT BOX] [Decrypt|button] [NO|button]
[Next|button]'

At this moment, there is no decryption key to help computer users recover from this infection. In most cases, the ransom in these attacks is several hundred dollars, paid in Bitcoins. Malware analysts advise computer users to take steps to ensure that their files are well-protected so that they can recover their files in case of an attack. However, this particular version of the RanDsomeWare Ransomware gives computer users ample warning that their files will be encrypted if they allow the macro to continue, which means that it is very unlikely that more computer users will fall to this infection.

Some Consequences of a RanDsomeWare Ransomware Attack

Due to the nature of the RanDsomeWare Ransomware attack, it is likely that the RanDsomeWare Ransomware is simply the initial step in a ransomware project that still under development. It also is possible that the RanDsomeWare Ransomware itself was created merely to test out a theory and educate computer users about the danger of allowing macro enabled files to run without knowing fully their contents. In either case, the RanDsomeWare Ransomware is considered threatening since it has the capacity to render the victim's data useless completely. 'Educational ransomware' may lead to threatening ransomware families, as they are easy to adapt for less altruistic purposes.

Trending

Most Viewed

Loading...