Rarucrypt Ransomware

Posted by Max Lehmann on February 22, 2018

What is Rarucrypt Ransomware?

Rarucrypt Ransomware is a malicious infection that creates copies of the victim’s personal files in RAR archives and then deletes the original files without a possibility to restore them. The problem is that a password protects the mentioned archives, so to open them, the user has to know it. No doubt, the cyber criminals behind this threat might offer to reveal it for a particular price, but fortunately, you may not have to risk your savings as our researchers checked the malware’s code and found the needed password in it. We will mention it later in the text, so if you wish to get to know Rarucrypt Ransomware better, we urge you to keep reading this report. At the end of it, users can also find steps showing how to erase the infection manually, although it the task looks a bit too complicated users can employ a legitimate antimalware tool as well.test

Where does Rarucrypt Ransomware come from?

Usually, threats like Rarucrypt Ransomware settle in without the user’s permission, but unfortunately with his help. For example, the user can infect the system unknowingly by opening a malicious email attachment received from unknown sources or a harmful setup file downloaded from torrent and other P2P file-sharing networks suggesting pirated programs and questionable freeware. Naturally, to avoid such situations, you should never launch suspicious Spam emails or attachments coming from unknown senders. Also, it is crucial you download installers only from legitimate sources. Whenever in doubt, our researchers at Anti-spyware-101.com recommend scanning the file in question with a legitimate antimalware tool as it is probably one of the easiest and safest ways to identify threats.

How does Rarucrypt Ransomware work?

Once the user launches Rarucrypt Ransomware’s installer, the malware should locate all targeted files, e.g., pictures, photos, videos, various documents, and so on. Then, all of the user’s private files should be separately added into RAR archives protected by a password. Thus, unlike when the system is infected with a similar threat that combines all data into one archive; you have lots of separate archives, and each of it needs you to submit a password to open it. The current infection’s version has a particular password hardcoded into its installer file: S?{DCO^C!{L@CR^+<7E}2. We cannot be completely sure it will help open the malicious program’s created archives, but it is worth a try, especially if you have no backup copies.

Moreover, soon after the archives are created the malware should drop 10 copies of text documents or ransom notes, e.g., README1.txt, README2.txt, and so on. Inside of them, the user should find a text written in Russian and English. It does not say a lot, only that user’s files were encrypted and the cost of their decryption is 200 RUB. Plus, the cyber criminals leave their contact information or to be more precise a link to their social media profile. Our researchers say at the moment of writing this profile (vk.com/id12269280) is suspended, so contacting Rarucrypt Ransomware’s creators is simply impossible, but luckily you do not even have to as the researchers were able to obtain the password (S?{DCO^C!{L@CR^+<7E}2) from malicious programs code.

How to eliminate Rarucrypt Ransomware?

It was noticed the malware deletes its installer soon after it creates the described RAR archives and drops the mentioned ransom notes. Nevertheless, it would be smart to see if it the infection is no longer on the system. Users who wish to do so manually should take a look at the instructions available below as they will explain the whole process of how to eliminate Rarucrypt Ransomware. If you prefer using automatic features more, you could employ a legitimate antimalware tool instead and let it deal with the threat for you.

Remove Rarucrypt Ransomware

  1. Click Windows key+E.
  2. Navigate to the following paths:
    %USERPROFILE%Desktop
    %USERPROFILE%Downloads
    %TEMP%
  3. Locate the malware’s installer; a file responsible for infecting the system.
  4. Right-click the suspicious file and press Delete.
  5. Go to Desktop and remove the ransom notes (e.g., README1.txt).
  6. Exit the File Explorer.
  7. Empty Recycle bin.
  8. Restart the device. 100% FREE spyware scan and
    tested removal of Rarucrypt Ransomware*

Stop these Rarucrypt Ransomware Processes:

RaRuCrypt Ransom.exe
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *