R980 Ransomware

What is R980 Ransomware?

R980 Ransomware is yet another ransomware set to encrypt your personal files and demand that you purchase the decryption key that is needed to decrypt them. Removing this infection is an option you must consider because the developers of this malware might not keep their word and give you the key once you have paid the ransom. Furthermore, this infection is still in development but was released regardless, so it may not function properly and, thus, you might not receive the key, or it might not work. In short, many things can go wrong with this unstable malicious program. So you have to choose your course of action carefully.

Where does R980 Ransomware come from?

At this stage, nothing regarding this malware is concrete and subject to change. However, before we discuss its features we want to shed some light on the way it is most likely distributed. Our malware researchers assume that this ransomware is being distributed via email spam. They have come to this conclusion because R980 Ransomware functions as an executable that does not copy itself to a hidden location on your computer. They think that it comes in a file archive that comes n a fake email that masquerades as some kind of receipt. The developers depend on you to extract the file and run it. However, you might not notice the malicious actions immediately because this ransomware does not start to encrypt the files immediately. Researchers say that it has a delay mechanism that prevents it from encrypting the files, but when the timer runs out, R980 Ransomware springs into action and starts doing its dirty work. Unfortunately, there is almost nothing you can do because it encrypts the files fast.

How does R980 Ransomware work?

There is nothing special about this ransomware; it is as generic as generic ransomware gets. Still, it does not look like it is a clone of previously released ransomware. This ransomware is set to encrypt your personal files with unique AES-256 Bit and RSA-4096 Bit encryption algorithms. It creates a private key that is sent to the server set up by the cyber criminals, and you need this key to decrypt the public key. Without it, you cannot access your files, and they are utterly worthless. Malware analysts at Anti-spyware-101.com have found that this ransomware can encrypt close to a hundred file formats, and this ransomware specifically targets audio and video files, documents and images because they are likely to contain personal and other valuable information for which you may be willing to pay the ransom.

Once the encryption is complete, R980 Ransomware creates a ransom note named DECRYPTION_INSTRUCTIONS.txt and changes your PC’s desktop wallpaper with an image named rbg.png dropped in %TEMP%. The ransomware states that you cannot recover your files without the private key, and that is entirely true. A third-party decryption tool may be created, but our researchers say that you should not hold your breath because this ransomware has yet to make a noticeable impact. So what is the alternative, you ask? You can try paying the 0.5 BTC ($313 USD) ransom, but there is no guarantee that you will get the decryption key. The course of action to take is up to you to decide. However, we recommend that you remove this ransomware, and we have provided a guide that can help you do that.

How do I remove R980 Ransomware?

The tricky part in removing R980 Ransomware is locating where its main executable is located, and if you do not know where it is put, then you probably do not know how it is named because its name is most likely randomized with each infection. You should check you Downloads folder, the desktop and any other place that it might have been extracted to and delete it. You can then move on to delete Taskhost.exe from the %TEMP% folder and then the registry key that forces this executable to run on system boot up. Alternatively, you can use SpyHunter that will eradicate these files automatically.

Delete the malicious files manually

1. Delete the randomly named executable.
2. Then press Windows+E keys.
3. Enter %TEMP% in the address box.
4. Locate Taskhost.exe and delete it.
5. Close the File Explorer and press Windows+R keys.
6. Type regedit in the box and click OK.
7. In the Registry Editor, navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
8. Find the registry string named BeeCrypt and delete it.

Download Removal Tool100% FREE spyware scan and
tested removal of R980 Ransomware*