Rote Ransomware

Most cyber crooks who decide to dabble in ransomware creation tend to stick to well-trodden paths, meaning that altering the code of an already existing file-locking Trojan is the preferred method to go about creating a threat of this type. In 2019, the most active ransomware family, without a doubt, has been STOP Ransomware family. Threats that belong to this family are almost identical. Their authors tend only to alter the extension that the data-locking Trojan applies and sometimes the email addresses provided for contact. Recently, cybersecurity experts spotted a new variant of the STOP Ransomware in the wild. Its name is Rote Ransomware.

Propagation and Encryption

When the Rote Ransomware infiltrates a computer, it will look for all files that may be found on any regular user's computer – audio files, videos, images, documents, archives, presentations, spreadsheets, databases, etc. This ensures that no user will be left unaffected after an attack by the Rote Ransomware. However, we are not certain how the Rote Ransomware finds its way into a user's system. Some believe that the attackers may be relying on torrent trackers, fake software updates, fraudulent pirated copies of popular applications and mass spam email campaigns. When the Rote Ransomware encrypts a file, it makes sure to append a new extension at the end of the file name. The Rote Ransomware adds a '.rote' extension to the names of all the affected files. This means that if you had named a file 'pale-ale.mp3,' the Rote Ransomware would alter it to 'pale-ale.mp3.rote' after it has completed its encryption process.

The Ransom Note

In the next step of the attack, the Rote Ransomware drops its ransom note. The note is contained in a file named '_readme.txt.' In this note, the attackers make it clear that all users who manage to get in touch with them within three days of the attack taking place will have to pay $490. However, victims who miss this deadline will have to pay double the price - $980. The attackers claim that they are willing to decrypt one or two files free of charge in an attempt to prove to the victim that they have a decryption key that is compatible with their data. The victims are expected to contact the attackers via email – ‘datarestorehelp@firemail.cc' and ‘datahelp@iran.ir.'

Unfortunately, malware researchers are yet to crack this threat, and no free decryption tool is available for the victims of the Rote Ransomware. If you have fallen victim to this threat, we would recommend you to avoid contacting the attackers and instead trust a reputable anti-virus software solution to remove the threat from your system safely and make sure you do not find yourself in such an unpleasant situation again in the future.