RME Ransomware

RME Ransomware Description

A new Dharma variant named RME Ransomware has been unleashed in the wild. It possesses all of the harmful traits associated with this ransomware family and can cause serious damage to the computers it infiltrates successfully. Users will be left unable to access any of the documents, PDFs, archives, databases, etc., stored on the breached devices.

The RME Ransomware follows the typical Dharma naming pattern for the files it encrypts. It starts by appending the victim's ID, followed by an email address under the control of the hackers, and finally, it adds '.RME' as a new file extension. Upon locking all suitable files, the threat proceeds to deliver two ransom note messages onto the system. The full instructions for the victims will be displayed in a pop-up window, while a shorter message will be contained inside a text file named 'info.txt.'

Both ransom note versions are light on any meaningful details. They mostly direct the victims into contacting the cybercriminals via the provided email addresses - 'ransom.me@onionmail.org' and 'ransom.me@msgsafe.io.' The main difference between the ransom-demanding messages is that the pop-up window includes a lengthy section of various warnings, such as not renaming the locked files and not trying to use third-party software to decrypt the data as it may lead to permanent loss.

The full set of instructions shown in the pop-up window is:

'YOUR FILES ARE ENCRYPTED
ransom
Don't worry, you can return all your files!
If you want to restore them, write to the mail: ransom.me@onionmail.org YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:ransom.me@msgsafe.io .rme
ATTENTION!
We recommend you contact us directly to avoid overpaying agents
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The message in the text file is:

all your data has been locked us
You want to return?
write email ransom.me@onionmail.org + ransom.me@msgsafe.io
.'

Related Posts