RDAT Ransomware

Ransomware remains one of the most disruptive threats facing home users and organizations. A single intrusion can scramble documents, photos, and business data in minutes, then extort victims for access. RDAT Ransomware, an offshoot of the prolific Dharma family, illustrates why layered defenses and disciplined recovery planning are essential.

Threat Profile: RDAT at a Glance

Infosec researchers identified RDAT during a broad review of emerging malware. It is a Dharma-variant purpose-built for data extortion: it encrypts files and pressures victims to pay for decryption. RDAT targets both local drives and network shares, deliberately avoiding critical system files so the device stays bootable and the victim can read the ransom notes.

What Victims See

Once RDAT executes, it encrypts a wide range of file types. Filenames are altered to include a unique victim ID, the attacker's email, and the '.RDAT' extension, for example:
1.png becomes 1.png.id-9ECFA84E.[dat@mailum.com].RDAT

Two ransom notes follow: a pop-up window stating the files are encrypted and a text file named 'DAT_INFO.txt' with contact instructions. The operators' offer' to decrypt up to three files (subject to size/format limits) as proof, while warning that using third-party tools or modifying encrypted data may cause permanent loss. These tactics are designed to build credibility and urgency, not to help you.

How RDAT Stays and Spreads

RDAT inherits Dharma's persistence and anti-recovery playbook. The malware copies itself into %LOCALAPPDATA%, registers autorun entries via specific Run keys, and relaunches after reboot. To block quick restores, it deletes Volume Shadow Copies. Before encrypting, it terminates processes that might keep files open (databases, document readers, and similar), ensuring maximum coverage. It also attempts to avoid 'double-encrypting' data already hit by other ransomware by checking against a known list, an imperfect safety check.

Target Selection and Geofencing

The malware collects geolocation data to gauge whether a victim is likely to pay. If the region appears unfavorable, economically or for geopolitical reasons, it may skip encryption entirely. This behavior is purely about maximizing ransom yield.

Why Paying Is a Losing Bet

Decryption after a ransomware attack is usually impossible without the attackers' keys, unless the strain is severely flawed. Even then, paying is risky: many victims never receive working decryptors. Payment also funds more attacks. The responsible path is to eradicate the malware, rebuild from trustworthy backups, and harden systems to prevent a repeat incident.

Confirmed Delivery Channels

Dharma-family intrusions frequently start with exposed or weakly protected Remote Desktop Protocol (RDP). Attackers rely on brute-force and dictionary attacks and, once in, may disable host firewalls. Beyond RDP, the ecosystem leverages phishing and social engineering, malvertising, untrustworthy software sources, spam attachments, and loader/backdoor trojans. Malicious payloads are commonly shipped as archives (RAR/ZIP), executables, scripts (including JavaScript), and documents (PDF, Office, OneNote). Certain families also propagate through local networks and removable media.

Containment and Recovery

Eliminate the ransomware to halt further encryption, but understand that removal does not restore locked files. Recovery requires clean, versioned backups. The gold standard is to maintain copies in multiple locations and media types, including offline storage that malware cannot touch.

Common access and distribution vectors for ransomware threats include: 

• Exposed/weak RDP services, credential stuffing, and brute-force logins
• Phishing emails, social engineering lures, spam attachments and links, malvertising, trojanized downloads, drive-by downloads, pirated software and 'cracks,' fake updaters, and loader/backdoor infections; lateral spread via LAN and removable USB/storage devices

Bottom Line

RDAT Ransomware is a disciplined, profit-driven Dharma variant: it persists across reboots, deletes recovery points, targets both local and shared data, and weaponizes pressure tactics to extract payment. The most reliable path to resilience is proactive hardening plus robust, offline-capable backups and well-rehearsed recovery. Do not pay; eradicate, restore, and tighten defenses to prevent the next attempt.