Radxlove7@india.com Ransomware

We want to inform you about a new ransomware that can infection your computer when you open malicious email attachments. It is called Radxlove7@india.com Ransomware, and our tests have shown that it is configured to encrypt your personal files and demand that you pay a ransom for the software needed to decrypt them. Its developers might ask you to pay a substantial sum of money in Bitcoins, and there is no guarantee that you will get the decryptor after you have made the transaction to their Bitcoin wallet. As a rule of thumb, we do not recommend that you trust the cyber criminals and comply with their demands. Therefore, we recommend that remove this ransomware using the instructions found at the end of this article.

While performing our analysis of this ransomware, we discovered that it is based on the CrySIS ransomware engine that is also used in ransomware-type infections such as Alex.vlasov@aol.com Ransomware, Green_ray Ransomware, Vegclass@aol.com Ransomware, and several others. Therefore, we are positive that at least several of them come from the same creators as this particular ransomware.

As far as this infections dissemination channels are concerned, we have found that it is distributed using a deceptive method that involves sending email spam to random email addresses. The emails are not dangerous, but the file attachments that they feature are definitely dangerous. Radxlove7@india.com Ransomware is contained in a self-extracting file archive that drops its executable to %WINDIR%\Syswow64 and %WINDIR%\System32 and possibly several other locations that may include the following:

• %ALLUSERSPROFILE%\Start Menu\Programs\Startup\
• %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
• %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
• %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
• %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\

Our research has revealed that the locations may vary because this ransomware has more than one version. Take note that we did not indicate the name of the executable. That is because the executable’s name is different for each case and varies in both length and character arrangement.

If the infection is successful, this ransomware will scan your computer for files such as .jpeg, .doc, .mp3, .zip, .rar, .zip, .tif, .jpg, .bmp, .png, docx, .odb, and .odc, and encrypt them with the RSA cryptosystem. This particular infection uses the RSA-2048 encryption algorithm with a 2048-bit long key. This ransomware creates a unique public and private decryption key. The keys have to match, but if they do not, then the decryptor will not initiate the decryption process. The private key is sent to a remote server and will remain in possession of the cyber criminals until you pay the ransom.

While encrypting, this ransomware will append the files with the .id-B0000000.{radxlove7@india.com}.xtbl extension. Note that the extension name features an ID number that is different for each user. After encrypting the files, this ransomware will create two files called Decryption instructions.jpg and Decryption instructions.txt. Decryption instructions.jpg is dropped in C:\Users\[your user name] and is set as your desktop wallpaper adding a registry string in Windows Registry. The location of this string is HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers, but there is also another string called Wallpaper at HKCU\Control Panel\Desktop. Decryption instructions.txt is dropped on the desktop and it both of these files carry a similar message — they want you to contact the cyber criminals that got your computer infected with this ransomware to receive instructions on how to pay the ransom and decrypt your files. We are strongly against paying the random because there is no way of knowing whether the criminals will send you the decryptor.

Unfortunately, there is no way to decrypt your files once they have been encrypted by Radxlove7@india.com Ransomware and some time will have to pass until security researchers find a vulnerability in this ransomware and find a way to decrypt the files. Therefore, we suggest that you remove this malware either using the manual removal guide provided below or an antimalware application such as SpyHunter, which is more that capable of dealing with this particular infection.

Delete the executable

1. Press Windows+E keys.
2. Enter the following directory addresses in the address box.
   • %WINDIR%\Syswow64
   • %WINDIR%\System32
   • %ALLUSERSPROFILE%\Start Menu\Programs\Startup\
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
3. Find the malicious executable and delete it.

Delete the registry keys.

1. Press Windows+R keys.
2. Type regedit in the dialog box and click OK.
3. In the Registry Editor, go to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpapers
4. Find BackgroundHistoryPath0 and delete it.
5. Then, go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
6. Find the randomly named strings with Value data of %WINDIR%\Syswow64\RandomName.exe and %WINDIR%\System32\RandomName.exe and delete them.
7. Done.