RPC Ransomware

The RPC Ransomware threat can cause significant damage to the data stored on the systems it infects. Thanks to the threat's encryption functionality, victims will find themselves no longer able to access most of their documents, images, photos, archives, databases and many other file types. The destructive potential of the threat is not affected by the fact that the RPC Ransomware is a variant belonging to the Dharma malware family.

Some of the distinctive characteristics of the threat include marking all encrypted files with '.RPC' as a new extension, creating the 'recinfo.txt' file on the breached devices and generating a pop-up window. The names of the locked files also will have a unique ID string and the 'pcrec@tuta.io' email address added to them.

The text file and pop-up window's roles are to deliver ransom notes with instructions. The hackers' message found in the file tells victims to try and contact the threat actors by messaging either 'pcrec@tuta.io' or the 'pcrec@cock.li' email addresses. The note in the pop-up window reiterates the same information but also carries a section with various warnings.

RPC Ransomware's pup-up message is:

'FILES ENCRYPTED
Don't worry, you can return all your files!
If you want to restore them, write to the mail: pcrec@tuta.io YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:pcrec@cock.li
ATTENTION
We recommend you contact us directly to avoid overpaying agents
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

The ransom note found inside the threat's text file is:

'all your data has been locked us
You want to return?
write email pcrec@tuta.io or pcrec@cock.li'