- Hijacks homepage
- Changes default search engine
If you find out that RSAUtil Ransomware has attacked you, it is because a hacker managed to penetrate your system via RDP (Remote Desktop Protocol). This is really bad news for you because there is a good chance for you to lose all your personal files and more. This dangerous ransomware can encrypt all your important files, which you can only decrypt if you have the unique decryption key, which is kept hidden on a remote server operated by these criminals. As a matter of fact, it is also a possibility if you are lucky enough that malware experts will come out with a free tool in the near future that could recover your files after this malicious attack. However, as of yet we have no information about such a tool being released. This leaves you with one choice only if you do not want to waste your money on supporting cyber criminals: Using your backup. If you are a security-minded computer user, you may have a recent backup copy on a portable hard disk of some sort, which comes in handy right now. Well, in fact, only after you manage to remove RSAUtil Ransomware from your system, of course. Let us tell you in more details what we found out about this dangerous threat.
As we have already told you, this ransomware is basically activated on your computer manually. This obviously means that the attacker has to have access to your computer to be able to do so. This is done by exploiting whatever remote desktop application may be installed on your PC. It is clearly easier to hack your computer if you use weak passwords. Cyber criminals may use brute force attack, which is a trial-and-error method, but they may also approach you prior to the attack and make you disclose your passwords protecting your system or your remote desktop software by phishing. If your computer is not properly protected, these crooks can hack into it and disable your anti-malware software. After it is all clear, the malicious .zip archive is dropped and extracted to a yet unknown directory. This archive includes the following files: config.cfg, DontSleep_x64.exe, How_return_files.txt, image.jpg, libeay32.dll, msvcr90.dll, NE SPAT.bat, svchosts.exe, and æ«ídG¿n_«t¿ßG¿G8.cmd. These are all used in this malicious attack with the exception of the image.jpg file probably, which is supposed to be the ransom note image to replace your desktop background with but somehow it is not used. You should keep in mind though that even if you delete RSAUtil Ransomware and all these related files, you cannot save your files by doing so.
We have no information yet about the encryption algorithm this ransomware program uses to encrypt your files since this threat has just emerged and started to spread. We can only assume that just like most of its peers, this infection also applies AES-256 or an RSA algorithm. Before the attacker runs the svchosts.exe file, which is indeed the ransomware malicious executable, he has to set up or configure the attack by running the .cfg, .cmd, .bat, and the other related files. We have found that this ransomware does not target specific file types or extensions only; therefore, even your executable files could be in danger. This infection changes the affected file names to have a ".firstname.lastname@example.org.ID83994902" extension. Thus, an encrypted file may look like "email@example.com.ID83994902" where the "ID83994902" ending may be different from user to user since this is the ID that is also mentioned in the ransom note.
This malicious program drops a text file named "How_return_files.txt", which contains the ransom note text, in all affected folders. But this text file is not really used since a lock screen appears on your monitor right after the encryption is finished. This lock screen contains exactly the same information as the text file. We need to mention that this note is written in very bad English so the author could be someone who does not really speak English or someone who wants us to believe so and therefore it could all be on purpose. In any case, these crooks give you one option to get your files back, and this is to write an e-mail to either "firstname.lastname@example.org" or "email@example.com" including your ID number. You should expect a reply soon afterwards, which is supposed to tell you which Bitcoin address to use to transfer the demanded ransom fee. Although we cannot confirm the amount of money these criminals ask for, we do not advise you to pay any. Unfortunately, there is little chance that you will get anything in return. But even if you get the decryption key or tool, it is possible that it would bring further infections onto your PC. Your security can only be restored if you remove RSAUtil Ransomware and all the related files from your system.
It is hard to say where the folder may be located that contains the extracted files since your attacker can place it anywhere on your system. However, since you know the names of these files, you can easily search for them in your File Explorer. We have prepared a guide for you below that can help you delete these files. However, it is possible that some leftovers might remain or that other malware infections are also on board. Therefore, as a more efficient method, we suggest that you use a reliable malware removal application, such as SpyHunter. This security tool can automatically detect and erase all known malware infections and protect your PC from future attacks. The longer you wait, the more infections you may have to face and deal with alone.
Remove RSAUtil Ransomware from Windows