Cyber Security Center

RXD ransomware removal


RXD ransomware is malware that aims to encrypt files. It’s part of the notorious Dharma ransomware family, and can be differentiated from other versions by the .[debri@keemail.me].RXD extension added to all encrypted files.

 

Ransomware image 2

RXD ransomware is a dangerous piece of malware that encrypts files, otherwise known as ransomware. It comes from the Dharma malware family, which is responsible for other versions like Elvis, Kut, bH4T and 259. The versions are more or less the same, though they are all equally dangerous.

RXD encrypts files instantly, and targets the typical file types, which most often include users’ most important documents and files. Once encryption is complete, the ransomware then shows a pop-up ransom note and drops a text one (FILES ENCRYPTED.txt). The notes don’t contain a lot of information, just that users need to send an email to debri@keemail.me with their unique IDs in order to start the file recovery process. Unfortunately, victims will be asked to pay a ransom in order to receive the decryptor. Though the note does not mention how much the ransom is, it will likely be somewhere between $100 and $1000. Whatever the price may be, paying is not recommended as there are no guarantees that a decryptor would be sent to users who pay. It’s not uncommon for cyber criminals to take the money without sending anything to help users. Furthermore, paying only fuels the cyber gang’s desire to continue their malicious activities.

If users have backup, they can start file recovery as soon as they delete RXD ransomware from their computer. Unfortunately, backup currently is the only way users can recover files. There is no free decryptor available at this current moment, though that may change in the future. Malware researchers release free descriptors to help ransomware victims, but it’s not always possible. But if a decryptor was released, it would become available on NoMoreRansom and be released by anti-virus vendors like Emsisoft, or malware researchers. While users wait for the decryptor, they should back up the encrypted files and store them somewhere safe. Users should also be careful of decryptors advertised on questionable forums, as they could be hiding malware.

Ransomware distribution

Users are often unaware that something as simple as opening an email attachment or downloading a torrent could lead to a serious ransomware infection. Developing good browsing habits usually allows users to avoid not only ransomware but many other kinds of malware.

Something as basic as carelessly opening an email attachment could infect a computer with malware. This is why users should never open unsolicited email attachments without first checking that they are safe. The emails carrying malicious files are usually quite obvious, as they contain grammar/spelling mistakes despite claiming to be official correspondence, and are sent from nonsense email addresses. Furthermore, the emails often pressure users into opening the attachments by claiming they’re important documents. If users take a second to review all unsolicited emails they get, they should be able to spot malicious ones. But even when everything seems safe, users should always scan unsolicited file attachments with anti-virus software or VirusTotal before opening them.

Pirating via torrents is also one of the ways users infect their computers with malware. Many torrent sites are not regulated properly, meaning anyone could upload something malicious disguised as a legitimate file. It’s common for popular content torrents to contain some kind of malware. For example, torrents for popular movies, TV shows and games often have malware.

Is it possible to decrypt RXD ransomware files?

As soon as the ransomware is triggered, it will start encrypting files. Like we said, it primarily targets personal files, such as photos, videos and documents. Those are often the most important to users, thus they are more likely to pay for their decryption. All encrypted files have the .[debri@keemail.me].RXD file extension added to them, which will allow users to identify which ransomware they’re dealing with. Part of the extension will also be users’ unique IDs which need to be included if victims decide to contact the cyber criminals behind this ransomware. Thus, an encrypted file would looks like this: image.jpg.unique ID.[debri@keemail.me].RXD. To open files with this extension, users will first need to decrypt them.

Once the ransomware has encrypted all targeted files, it will show a pop-up ransom note, as well as drop a text one. Both contain an email address to which users would need to send an email if they decided to pay the ransom. Like we said, the decryptor price is not mentioned and would only be revealed in the email response. But paying is highly discouraged for reasons already mentioned above.

Here is the text from the pop-up ransom note:

YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email debri@keemail.me YOUR ID –
If you have not been answered via the link within 12 hours, write to us by e-mail:tzk7@protonmail.ch
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Only users who have backup can currently recover files for free. While not guaranteed, this may change in the future with a free decryptor released by malware researchers.

RXD ransomware removal

Anti-virus software is the only safe way for regular users to remove RXD ransomware, besides a complete Windows reinstallation. As soon as the ransomware is fully gone, users can access their backup to start file recovery.

RXD ransomware is detected as:

  • Trojan.Ransom.Crysis.E by BitDefender
  • Trojan-Ransom.Win32.Crusis.to by Kaspersky
  • Ransom:Win32/Wadhrama!hoa by Microsoft
  • Ransom-Dharma!03441FD8C557 by McAfee
  • Ransom.Win32.CRYSIS.SM by TrendMicro
  • Ransom.Crysis by Symantec and Malwarebytes
  • A Variant Of Win32/Filecoder.Crysis.P by ESET
  • Trojan.Ransom.Crysis.E (B) by Emsisoft