REDROMAN Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 22 |
| First Seen: | January 19, 2011 |
| Last Seen: | February 2, 2021 |
| OS(es) Affected: | Windows |
The REDROMAN Ransomware is a crypto locker that uses an uncrackable cryptographic algorithm to lock the users' files and then extort money from them in exchange for the potential restoration. The threat doesn't use any complex patterns for the modified names of the files it encrypts. It simply appends '.REDROMAN' as a new file extension to the file's original name.
Typically, ransomware threats create multiple versions of their ransom note and drop them all over the compromised computer to ensure that the affected user will see them immediately. The goal is for the victims to initiate contact then and pay the demanded ransom amount. REDROMAN, however, has adopted a rather counter-intuitive method of ransom note delivery. It generates three identical ransom notes inside three Html files that each have a different name - README.htm, OPENTHIS.html and RR_README.html. The problem is that the ransom-carrying files are dropped in random locations on the compromised system, so the user may need quite a hefty dose of luck to stumble upon them.
Looking at the text of the ransom notes revealed that the criminals behind the REDROMAN Ransomware want to receive the sum of $200. The money must be sent to their cryptowallet address using Bitcoin, arguably the most popular cryptocurrency. After making the payment, victims are expected to establish communication by sending a message to the insupport@messagesafe.io email address. The hackers allow for up to two files to be attached to the email for free decryption.
The full text of the REDROMAN Ransomware's note is:
'Critical Error!
Your files have been corrupted!
Follow these directions to easily restore them:
1. Purchase around $200 in Bitcoin (BTC). To learn more about Bitcoin, visit hxxps://bitcoin.org/en/buy or hxxps://buy.bitcoin.com
2. Send the new Bitcoin to the following address: 14BfVG4vH71NLmhu7vFKi9EMmeZFoiAsYP
3. Contact our Tech Support team at insupport@messagesafe.io and explain your issue.
4. After confirming your Bitcoin transfer, we will send you a file-repair tool to fix your entire system.
5. Run our file-cleaner and wait… Your data will be restored.
To test our services, you may send up to 2 files for repairing before making the Bitcoin transfer.
Estimated repair time after Bitcoin transfer: 24 hours.'
Remove REDROMAN Virus and Restore Files
Rather than paying the ransom, REDROMAN victims should remove the virus from their device as soon as possible. Many antivirus and antimalware programs are capable of doing this. Antivirus programs can also prevent an infection in the first place.
Once the virus is removed, you can get to work restoring your files. Start with a system check to ensure that the virus didn’t make any unwanted changes to your system. When you are sure that the virus is completely gone from your computer, restore lost and damaged files using an external or cloud backup. If you don’t have an external backup, you may have some success with file-restoration software. However, these software programs are unreliable for ransomware attacks, as ransomware typically removes the Shadow Volume Copies used by file restoration programs.
How Does REDROMAN Spread?
The internet is filled with all manner of viruses and threats, from adware to trojan horses. It is impossible to stay completely safe and virus-free, but evading online danger isn’t too complicated.
Cybercriminals have several ways to get on your computer. The most common infection methods are spam emails and file-sharing platforms like torrenting sites. Hackers attempt to outsmart their victims by sending emails that appear legitimate. These emails claim to come from sources such as banks and shipping companies. They contain viruses in the form of malicious attachments and links.
Don’t be too hasty when dealing with emails, especially if you aren’t sure of the source. Check the email for grammatical errors or other red flags that indicate the sender isn’t who they claim to be. You should have your antivirus program scan email attachments before downloading and running them, just to be safe.
