Rush Ransomware

Rush Ransomware is a Trojan, a clandestine infection that uses a disguise to slither into your operating system and start malicious processes. According to our tests, this ransomware is most likely to hide behind fictitious MS Office Word documents sent to your inbox by unfamiliar senders. Keep in mind that, in some cases, malicious infections manage to hijack email accounts and use authentic identities to spread malware. This means that the installers of malware could be introduced to you via the accounts of your own friends and colleagues. Needless to say, it is more likely that you will open a file if it is sent to you by trusted parties rather than unknown parties. Once executed, the malicious file immediately encrypts your personal files (e.g., .pdf, .docx, .php, .asp, .aspx, .html) and introduces you to the demands of cyber criminals. If you continue reading, you will learn more about the processes of this infection, and we will discuss the removal of Rush Ransomware.

According to our research, Rush Ransomware is also known as the Sanction Ransomware. The name that users recognize this infection by depends on the extension attached to the files that are encrypted. For example, some users will find photo.jpg.rush and others will find photo.jpg.sanction. The interfaces of these ransomware infections are almost identical, and it is likely that they are simply different versions of the same threat. All in all, both of these infections – if you identify them as separate infections – use an HTML file to introduce users to their demands. The HTML file that Rush Ransomware uses is called “DECRYPT_YOUR_FILES.html”, and it is likely to be located in all locations containing encrypted files. This file opens via your browser and is represented in a form of a message. Here is an excerpt.

All your files have been encrypted with Rush Ransomware
Your unique GUID for decrypt: [unique code]
Send me some 4 bitcoin on adress: [address]
After confirming the payment, all your files can be decrypted.

This intimidating notification also includes information about the payment. Considering that most users are not familiar with the Bitcoin currency, it is not surprising that the creators of this ransomware have added instructions on how to create a Bitcoin wallet and buy Bitcoins. Once you set up your wallet, you are asked to send the necessary data, including your unique ID presented via the notification, to unransom@mail.com. If cyber criminals hold their end of the deal, a decryption key with instructions explaining how to decrypt your files will be provided to you. Hopefully, you would be able to decrypt your files if you paid the ransom, but we cannot ensure that this is exactly how cyber criminals will act. What is more, the ransom of 4 BTC is incredibly big (~1670 USD/1490 EUR). Are the files encrypted by this ransomware worth that much money? Do you have that much money? Hopefully, this will be a good lesson for you to back up your sensitive files to avoid their loss or corruption.

According to our researchers, Rush Ransomware might have been created by the cyber criminals in Russia because this ransomware connects to the v-crimea.ru/write.php server. It is possible that this server will be used to store the decryption key, without which the decryption of your files is not possible. Are you looking into third-party decryption tools? Of course, it is worth checking them out, but you have to be careful. With the increase of ransomware infections, it is possible that there will also be an increase of fictitious decryption tools set up by schemers to steal your money or infiltrate malware. Needless to say, the activity of more malicious threats is the last thing you need. Unfortunately, it is quite possible that other threats are already active because your operating system has been proven to be vulnerable with the infiltration of the malicious ransomware.

Can you clean your operating system manually? We suggest scanning your PC, and, if you learn that you need to delete Rush Ransomware only, you can use the guide below. However, if the scanner reveals other threats, we suggest implementing an automated remover. Of course, you can research and eliminate malicious programs one at a time, but you should not waste any time with malware because it can jeopardize your virtual security and your virtual identity. If you are looking for a legitimate and up-to-date remover, click the Download button below. Note that the devious ransomware requires removal regardless of whether you have paid the ransom or not. If you do not eliminate it, it is possible that your files will be encrypted again.

Rush Ransomware Removal

1. Open Explorer (tap Win+E keys together on the keyboard).
2. Enter these directories into the address bar and Delete the DECRYPT_YOUR_FILES.html file.
   • %ALLUSERSPROFILE%\Start Menu\Programs\
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\
   • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\
   • %WINDIR%\System32\Tasks\
   • %WINDIR%\Tasks\