RSA Ransomware

Some malware families appear to be growing by the hour, and RSA Ransomware is an infection that comes from the Crysis/Dharma Ransomware family. It is already vast, but because the creator of this malware has made it very easy to employ an already established code and build upon it, new variants keep emerging. A couple of the more recent ones include VIRUS Ransomware, 3442516480@qq.com Ransomware, and Asus Ransomware. It is impossible to say who created this malware, and, for all we know, the same attackers could stand behind them all. Whatever the case might be, it is our mission to discover and report every single variant that emerges because this malware is incredibly dangerous. If you are lucky and you remove RSA Ransomware – or other variants – immediately, you might be able to prevent having your files encrypted. However, this malware is meant to slither in and corrupt your files without your knowledge, and so you are most likely to discover the threat and realize that it must be deleted only after all of your personal files are locked up.

Your personal files might appear to be locked up because RSA Ransomware encrypts them. That means that data is scrambled to ensure that they can be read using a unique decryptor. That is why legitimate, third-party decryptors cannot assist. In some cases, malware researchers are able to build free decryptors, but that has not happened for RSA Ransomware yet, and it is possible that that will never happen. The first sign that this malware got in is likely to be the “rsa1024@tutanota.com” window that pops up the moment all files are encrypted. By the way, “.id-{unique ID}.[rsa1024@tutanota.com].RSA” is the extension that you should find attached to their names. The window can be closed easily, but you are unlikely to do that right away because of the message represented via it. If you believe it, the attackers behind the infection will provide you a decryptor as soon as you contact them and also pay a ransom. You are instructed to email rsa1024@tutanota.com, and the rsa1024@cock.li email address is presented as the one you are supposed to use if no answer is received within 24 hours.

When the attacker behind the RSA Ransomware responds to you, it is most likely that you will be instructed to pay a ransom. That is what the original ransom note alludes to as well. We cannot know how big the ransom might be, but even if you can pay however much the attackers want, you have to think carefully if you should do that. After all, you are not given any guarantees that a decryptor will fall into your hands as soon as you fulfill all of the demands that are introduced to you. Unfortunately, from what we have seen and experienced, cybercriminals do not really keep their promises. Hopefully, you do not need to rely on that because you have copies of all – or, at least, the most important – personal files. When your system is malware-free, you have to create copies of files and save them on external drives or online (cloud storage), and if you have done that, RSA Ransomware will not intimidate you. First, remove this malicious infection, and then figure out whether or not you want to transfer copies back onto the computer. If you choose to do that, delete the encrypted files first.

You might have already decided that you want to delete RSA Ransomware manually. If that is your decision, you have to find the launcher file. We cannot help you with that because the location of this file depends on how it was introduced to you, and the name could be completely random. Although manual removal is complicated and success is not guaranteed, if you choose to go the automatic removal route, you will not need to face struggle or disappointment. A reliable anti-malware program will automatically remove RSA Ransomware, and if other threats exist without your notice, they will be found and erased at the same time. The most important thing is that the program will secure your system, which is crucial for further protection. If you protect your system, install all updates, avoid spam emails and bundled downloaders, as well as backup all files, we hope that you will escape ransomware or, at least, minimize the impact of an attack.

RSA Ransomware Removal

1. Identify the {unique name}.exe file that is the launcher of the ransomware.
2. Right-click and Delete this malicious file.
3. Find and Delete the ransom note file, FILES ENCRYPTED.txt.
4. Tap Win and E keys to launch Windows Explorer.
5. Right-click and Delete the Info.hta file from these folders (enter into the quick access field):
   • %APPDATA%
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %WINDIR%\System32\
6. Right-click and Delete the {unique name}.exe file from these folders:
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
   • %WINDIR%\System32\
7. Tap Win and R keys to launch Run.
8. Type regedit into the box and click OK to access Registry Editor.
9. Move to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
10. Delete the {unique names} values associated with Info.hta and {unknown name}.exe files.
11. Empty Recycle Bin and then run a full system scan using a legitimate and trusted malware scanner.