Rxx Ransomware

You might have let Rxx Ransomware in by complete accident. The launcher of this infection can be introduced to Windows users as a document or application file that poses no threat. Cybercriminals can use misleading spam emails and also bundled downloaders to introduce the launcher file stealthily. Once the file is executed, the threat runs immediately, and its first task is to encrypt all personal files. If you have discovered that your files cannot be read and that the .id-*.[back_data@foxmail.com].rxx extension (* is random for every user) has been added to them, you can rest assured that you have let the dangerous ransomware in somehow. Perhaps, you did not do that yourself, but a different active infection dropped it silently. Whatever the case might, it is obvious that your operating system lacks reliable protection. This is an issue that is just as important to figure out as the removal of Rxx Ransomware. If you cannot wait to delete this dangerous infection, let’s get to it.

First of all, it is important to note that Rxx Ransomware is part of the Crysis/Dharma Ransomware family. Our readers will know this name very well because it is linked to 8800 Ransomware, Devil Ransomware, Dever Ransomware, Bitx Ransomware, Nvram Ransomware, and hundreds of other infections. They all follow the same pattern because they were created using the same malware code. After the initial execution, they encrypt files, and while there are threats that wipe/delete personal files or corrupt system files, Rxx Ransomware focuses on personal files alone. The infection does not need to cause harm anywhere else because its main purpose is to make you think that you need to pay a ransom in return for a decryptor that the attackers can, allegedly, provide you with. To make sure that you know what is going on, the attackers drop “Info.hta” and “FILES ENCRYPTED.txt” files. Both carry messages of different length, but both instruct to do the same. Since these files are not malicious per se, you can open them, but do not forget that the messages were created by cybercriminals and that you will need to delete them eventually.

The “Info.hta” file dropped by Rxx Ransomware is responsible for opening the “back_data@foxmail.com” window after your files are executed. The message displayed via this window informs that your personal files were encrypted and that you need to contact the attackers immediately if you want to get them back. The message also warns that if you rename files or try using third-party decryption software, your files could be lost permanently, and the ransom price could increase as well. The “FILES ENCRYPTED.txt” file simply states that files were “locked” and that you need to contact the attackers if you want them “returned.” Both files instruct to email back_data@foxmail.com or getdecoding@protonmail.com, and we hope that you understand why doing that is dangerous. As you must understand, once you send an email to the attackers, they get the power to demand anything from you. Initially, they would ask money in return for a decryptor – which you are unlikely to receive anyway – and later on, they could expose you to phishing and sextortion scams, or send you other misleading emails with the launchers of different infections.

Contacting the creator of Rxx Ransomware and paying the ransom in return for an alleged decryptor are awful ideas, and we hope that you understand that. Hopefully, that does not mean that your files are doomed to remain encrypted forever. Do you have copies of your files? If you do, replacement is possible. Can you use a free decryptor? Crysis and Dharma decryptors exist, but we cannot guarantee that they will be able to decipher the encryptor linked to the Rxx variant. That being said, if you are desperate, this is an option to consider. Eventually, you need to delete Rxx Ransomware, and you are in full control here. If you decide to perform the removal manually, use the guide below, but note that you have to find the launcher with a random name yourself. Its location is unknown. If you do not have the experience or time for manual removal, and if you are worried about your virtual security overall, quickly install anti-malware software. It will clean and protect your system simultaneously.

Rxx Ransomware Removal

1. If you can find the launcher file (random name/location), Delete it.
2. Delete the ransom note file named FILES ENCRYPTED.txt.
3. Delete a file named Info.hta and another .exe file with a random name in these locations:
   • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
   • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
   • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
   • %WINDIR%\System32
   • %APPDATA%
4. Access Registry Editor and go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
5. Delete all values (should be 3 with random names) that are linked to files in step 3.
6. Empty Recycle Bin and then perform a full system scan using a trusted malware scanner.

N.B. To access the directories in step 3, launch File Explorer by tapping Win+E keys together. Then copy and paste the lines, one at a time, into the quick access field at the top. To access Registry Editor, tap Win+R keys together and enter regedit into the dialog box.