Another HiddenTear-based ransomware has been wreaking havoc recently. This HiddenTear-based ransomware is called the R4bb0l0ck ransomware. The combination of letters and numbers make it hard to read but this ransomware is actually read as “RabboLock” which is its other known name. This virus is another top-notch example of a malicious ransomware that locks your files with the use of a strong encryption algorithm. After it infiltrates your system, it starts to look for files to target, and then begins the encryption. During the encryption, it appends the file extension, .R4bb0l0ck. Once it’s done, it drops the ransom note which is a text file entitled, LEES_MIJ.txt that contains the message below:
“Bestanden zijn encrypted met RabboLock.
Stuur me een email (naar: [email protected]) en voldoe aan deze voorwaarden:
Ik wil staf privileges op het account dat ik zal doorgeven
bovendien wil ik 5000 kronen en 5000 diamanten op hetzelfde account + 5000 rares naar keuze verdeeld over andere accounts
Veel succes
PS: contacteer me binnen het uur anders is het te laat!”
As you can see, its ransom note is written in Dutch, although according to the native speakers of this language, the ransom note is butchered which could mean that its creators are certainly not Dutch.
Your files are important, however, that does not mean you have to pay the ransom to get them back. Paying these sly cyber criminals would only encourage them to develop more infections that could bring them even more profit. And besides paying the ransom is not an assurance that you’ll get your files back in the blink of an eye. What mostly happens when some users pay the ransom is that they get ignored by the cyber criminals. There are many options available that you can try to remove this infection. This article will show you just how it gets done so no need to panic and keep reading.
There many distribution methods used to spread infections like the R4bb0l0ck Ransomware. It can be distributed through infectious links, malware-laden advertisements, malicious software and fake software updates. Moreover, this ransomware can also infect you after downloading an infected attachment from your spam email. These spam email typically look like important documents to trick you into opening and downloading them. We really can’t blame some users though for it is really hard to tell if the email carries a malicious script or not.
Make sure to follow the complete set of instructions below to eliminate R4bb0l0ck Ransomware.
Step 1: Open the Windows Task Manager by pressing Ctrl + Shift + Esc. Go to the Processes tab and look for the any suspicious processes that can be related to the R4bb0l0ck Ransomware.
Right-click on the processes, click Open File Location and scan them using a powerful and trusted antivirus like SpyRemover Pro. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.
Step 2: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Find R4bb0l0ck Ransomware or any suspicious program and then Uninstall.
Step 3: Open System Configuration by clicking the Windows button and typing in msconfig and pressing Enter. Go to Startup and unmark items with unknown manufacturer.
Step 4: Open the File Explorer by pressing the Windows key + E.
Step 5: Go to the directories listed below and delete everything in it. Or other directories you might have saved the file related to the R4bb0l0ck Ransomware.
-
%USERPROFILE%\Downloads
-
%USERPROFILE%\Desktop
-
%TEMP%
Step 6: Look for the malicious executable file that could be related to R4bb0l0ck Ransomware.
Step 7: Right-click on it and click Delete.
Step 8: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.
Step 9: Locate the path below and check if there is a new suspicious entry.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Step 10: If there is a new suspicious entry that can be related to the R4bb0l0ck Ransomware and delete it.
Step 11: Close the Registry Editor.
Step 12: Empty the Recycle bin.
Step 13: Reboot your computer into Safe Mode with Command Prompt by pressing F8 a couple of times until the Advanced Options menu appears.
Navigate to Safe Mode with Command Prompt using the arrow keys on your keyboard. After selecting Safe Mode with Command Prompt, hit Enter.
Step 14: After loading the Command Prompt type cd restore and hit Enter.
Step 15: After cd restore, type in rstrui.exe and hit Enter.
Step 16: A new window will appear, and then click Next.
Step 17: Select any of the Restore Points on the list and click Next. This will restore your computer to its previous state before being infected with the R4bb0l0ck Ransomware.
Step 18: A dialog box will appear, and then click Next.
Step 19: After the system restore process, download SpyRemover Pro to remove any remaining files or residues of the R4bb0l0ck Ransomware.
Step 20: Restore your encrypted files.
As mentioned earlier, restoring your encrypted files using Windows’ Previous Versions feature will only be effective if the R4bb0l0ck Ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.