Rush Ransomware

Posted by Max Lehmann on March 23, 2016

What is Rush Ransomware?

Rush Ransomware also known as Sanction Ransomware is a Trojan-type infection capable of encrypting your files and demand that you pay a ransom. Removing this infection is crucial to restoring your computer’s security. However, doing so will not restore your files back to normal as you still need a decryption key that only this infection's developers can provide, but will they give it to you after you pay the ransom is a whole different issue. Our researchers say that you will not get the decrypter after paying the ransom. This ransomware is relatively new, and cyber security experts are hard at work trying to crack its encryption algorithm, but with no success yet. Thus, the best you can do at this point is to get rid of this infection.test

Where does Rush Ransomware come from?

This ransomware was first seen on 15 February 2016. However, we do not know how it is being distributed. It might be, however, disseminated using the usual methods that include email spam with Trojan-dropping attachments, pirated software cracks, malicious downloaders and installers, and so on. Therefore, if your computer has been infected with this ransomware, then we ask you to get into contact with us by posting a comment in the comment section explaining how your computer became infected with it.

What does Rush Ransomware do?

Once your computer is infected with Rush/Sanction Ransomware is will scan your computer for file types, such as txt, .pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, sln, .php, .asp, .aspx, .html, .xml, and .psd, and while encrypting it will add the .sanction file extension. However, there are several folders it will leave untouched, particularly those folders that contain system files because this ransomware’s developers want you to pay the ransom and you could not do that without a functioning computer. We have received information that this ransomware has a flaw which prevents the developers from generating a decryption key. Rush Ransomware does not save the file keys necessary to generate the unique decrypter. So do not try to pay the ransom because you will not get anything in return.

Rush Ransomware’s greedy developers want you to pay 4 Bitcoins for the decrypter which approximately 1670 USD or 1500 Euros. The Bitcoin address you are supposed to send the money is 1LzgiXV3Qip39cruiytSqkxEeLXF4iTksJ. The developers go so far as to threaten you with deleting the files if you do not make the payment within seven days. But if you pay the ransom, then you have to send your Bitcoin wallet’s unique ID to Unransom@mail.com. Then, the developers should contact you and give you the decrypter and provide you with instructions on how to use it. However, testing has shown that they never get in touch.

After the encryption is complete, this ransomware should drop a file named DECRYPT_YOUR_FILES.html on the desktop and to every folder where a file was encrypted. Take note that unlike ransomware such as Cryptowall Virus that have a continuously running executable in the background, Rush/Sanction Ransomware only encrypt the files and stops working. Thus, it makes the removal process a whole lot easier. Our malware researchers at Anti-spyware-101.com have found that Rush Ransomware drops its payload in multiple directories that you have to delete.

How do I remove Rush Ransomware?

Rush Ransomware does not drop any executable file on your computer, but leaves several files named DECRYPT_YOUR_FILES.html in multiple directories. This file will open via your web browser at random to show you its ransom note. As previously stated, this ransomware’s developers will not and cannot provide you the decryption key. Therefore, paying the ransom is futile, and so, we recommend that you delete its remaining files and try to recover your files using file recovery software or Shadow Volume Copies. You can get rid of the remaining using one our recommended removal methods.

Delete files manually

  1. Press Windows+E keys.
  2. In the resulting Explorer window’s address bar enter the following directories.
    • %ALLUSERSPROFILE%\Start Menu\Programs\
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\
    • %WINDIR%\System32\Tasks\
    • %WINDIR%\Tasks\
  3. Locate the file called DECRYPT_YOUR_FILES.html.
  4. Right-click on it and click Delete.
  5. Empty the Recycle bin.
100% FREE spyware scan and
tested removal of Rush Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *