What is RRCC Ransomware?

RRCC ransomware is a highly malicious file-locker type of virus that encrypts the infected user’s files rendering it useless. It is a variant of the STOP/DJVU malware group that is created to exploit weakness on a user’s computer system and demand ransom money in exchange for the recovery and decryption of the files they encrypted.

Since many people have important documents and files in their devices, those who are infected with RRCC ransomware are forced to pay for the ransom demanded by the cyber attackers in return for their valuable data.

Most of the new variants of this unruly file locker virus are impossible to decrypt independently and even some experts are still having difficulties in finding a recovery for these encrypted files that is why most people are resorting to the only option.

Once it enters the computer system, it will perform many actions that will harm your computer such as making changes to computer preferences and functions. More importantly it may disable the built-in antivirus system (Windows Defender) and other applications that may detect it as a threat.

However not all ransomware viruses have the ability to do such actions on a computer, but still, everyone should still be careful not to download anything suspicious since it may lead to the installation of malware such as RRCC ransomware.

Another thing to keep in mind is that these type of malware often comes with a data stealer virus that can gather information within the computer such as login details, screenshots, bank accounts, browser history and cookies. Anything that can be found within the computer, it can be stolen by such a malware so if you are infected by RRCC ransomware or any other type of malicious threat, it is essential to keep your accounts in check.

Being the target of a dangerous virus like RRCC ransomware is very destructive to a computer system and it’s network connected devices. Since it can also move from one pc to another through internet connection. If an infected device is connected to a network, then the malware could spread through other devices connected to the same network.

That is why when a computer is compromised, it is best to disconnect it from the network as soon as possible or at least boot it into safe mode with networking.

In order to give you a brief understanding of this particular malware, here is a summary of the threat:

Name	RRCC
Extension	.RRCC
Classification of Malware	Ransomware, File Locker
Malware Group	STOP/DJVU
Attacker’s Email	[email protected] & [email protected]
Ransom Amount	$490 – 980 via Cryptocurrency (Bitcoin)
Ransom Note	_readme.txt
Symptoms	– The .RRCC extension will be added to all files on the computer making it useless and unable to open. – Sometimes, additional malware is also deployed into the system such as data stealers and keyloggers to track the user’s session, history and login information.

The Purpose of RRCC Ransomware

A Ransomware virus is a type of malware that encrypts files on infected computers and demands a ransom payment in order to decrypt them. The ransom payments are typically made in Bitcoin or other cryptocurrencies, and the ransomware operators usually claim that they will not release the files until the ransom is paid.

The RRCC ransomware operators can make an enormous amount of money by encrypting large numbers of files and demanding high ransom payments. In some cases, the files that are encrypted can be quite valuable, and therefore ransom can be demanded at a high price.

Once a certain individual pays for the ransom as instructed by the attackers, they are given a decryption key to be used to restore their files. The decryption key is a unique digital code that unlocks files that have been encrypted by the ransomware virus.

However, a successful ransom transaction and decryption is not always what happens in the case of a ransomware infection. It is not simply right to trust the very individuals that encrypted the files in the first place. Since doing so may also result in the opposite and do additional damage being done to your computer and may even result in the data being lost altogether.

There have also been some cases where the decryption tool provided to them turns out to be another encryptor which made their files much harder to recover. Secondly, this will only give the person who is holding your files more money and will not help you in any way.

How does the malware spread?

Almost every other type of computer virus have the same way of entering a device. They do not work upon initial download but their malicious actions will start to function after the execution of the file.

Normally, a user cannot obtain and a malicious file if they are careful of what they are browsing be it a website or reading an email. Here are the main ways where RRCC ransomware and other malicious threats could possibly be obtained:Spam email attachments: The most common and widely used strategy. It deceives the intended recipient into downloading malicious software that is attached to the attackers’ email. The files are either bundled together or disguised as documents, movies, and voicemails in the attachments.

The attacker will most likely make the attached file intriguing and interesting so that the victim will most likely open it. If you are receiving emails with attachments from unknown and suspicious sources, make sure to scan the contents before opening it.

Drive-by Downloads: It occurs when a person visits an infected website that has been injected with a malicious script that causes a random piece of software to be downloaded. Hackers can then use these flaws to obtain unauthorized access to targets’ systems once they’ve been clicked.

Drive-by downloads are commonly associated with the installation of adware or potentially unwanted programs (pups), but they have also been linked to the infection of users by dangerous ransomware.

Torrent Files: Torrent files are used by millions of pirates all over the world to obtain pirated movies and records, as well as cracked versions of premium software. Since then, cyber thieves have used the torrent community to propagate their dangerous software.

Torrents, particularly .exe files, are almost certainly infected. So, if you’re downloading from a torrent site, it’s worth checking the file extension because it’s usual to find that a pirated movie or music is contaminated with a virus if it’s in the.exe format.

In most cases, a user who have obtained RRCC ransomware will not have the slightest chance of opening the file. Even though it is to be an executable program (.exe) your web browser will most likely block the download of this harmful file.

Addition to that, Windows Defender would have flag it as a harmful program and will take action to remove it due to Windows Real Time Protection being enabled. On the slim chance that the threat was not detected and therefore executed, it is going to be a disaster for the computer system.

How does the ransomware work?

Once the malware is initiated, it will start on doing malicious actions on the victim’s computer. One of the first thing it would do is to disable the antivirus system inside the machine so it could do it’s actions without having to deal with the computer’s protection.

In short, it will make the system completely vulnerable to any type of malware and cyber criminals have a very good advantage to a computer without even the slightest protection. RRCC ransomware will also make changes into the computer’s system such as the host file and the registry files. It takes advantage of adding registry entries to Windows system locations so that the malware will still persist even after a reset of the computer.

After these actions, the ransomware virus will now scan the computer system for valuable files such as videos and documents. Some of the files that are typically encrypted are financial documents, business papers and important family pictures.

After scanning the system for files, it will then encrypt the files with the .RRCC to make the file useless and unable to be opened. Once the encryption of files are finished, the ransomware will leave behind a note (_readme.txt) stating that it demands $490 in Bitcoin for the decryption of the files and the amount will be doubled after 72 hours.

The use of crypto payments are commonly used by malware operators to prevent being tracked by the government. Alongside with the note, they will also leave a link for a demonstration of the file decryption and will give you the chance of decrypting 1 sample file for free as a proof that their decryption tool is working. (RRCC ransom note is as shown below)

ATTENTION!
Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-6Ti2DxXR3I
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.
To get this software you need write on our e-mail:
[email protected]
Reserve e-mail address to contact us:
[email protected]
Your personal ID:
*******************************************************

I have been infected, what should I do?

If have been recently infected by RRCC ransomware, it is important to have safety measures. We also highly suggest that you remove the malware from the system as soon as possible to prevent further harm.

Do not think carelessly that once the file encryption is finished, the malware will also cease to function because it does not end there. Any new files that is added into the pc will be encrypted as well due to the “Time Trigger Task” that RRCC ransomware has set on the Task Scheduler application.

Here is how to remove the Time Trigger Task:

In order to get rid of it, open Task Scheduler by pressing Windows Key+R and type taskmgr.exe then enter.Once the application opens up, click the Task Scheduler Library on the left side panel then find Time Trigger Task from the triggers. Once you see it, press right click and delete.Now that the trigger is deleted, it will prevent RRCC ransomware from encrypting new files that comes into the computer.

Then again, the encryption may have stopped from triggering but the malware is still in the system. Before removing the malicious threat completely, it is essential to boot into Safe Mode first. It is helpful to run it when troubleshooting a problem within the computer.

Here is how to boot into Safe Mode with Networking:

In order to boot into Safe Mode, first open system configuration by pressing Windows Key + R button then type “msconfig.exe“.Once the System Configuration window appears, click Boot next to General then check the Safe Boot from Boot options. Below that, tick the Network option to allow internet within the Safe Mode then click apply, once everything is done and the computer should be restarted into safe mode.Below this section, we have provided a detailed procedure on how to remove RRCC ransomware as well as some possible ways to decrypt the infected files. Although it is important to note that new ransomware variants are very much unlikely to be decrypted.

Before that, we suggest that you do one last precaution before starting the removal of the virus. The last step to take before proceeding is to backup the infected files first to avoid further damage during the step by step process.

Data loss is very critical especially during a ransomware attack, in case important files are encrypted, people who do daily backups could easily pull a recent one and everything would be back to normal. However on the case of not having a backup, the encrypted files should at least have another copy just in case the files become irreparable when something goes wrong.One of the best way to keep a backup would be through an online cloud backup services such as Dropbox and IDrive. It is convenient to have an online backup because the data can be accessed and transferred easily with any device as long as it has internet connection.

Addition to that is has built-in security that would detect if you are uploading or transferring files that are infected with malware. Another way of storing a backup would be the traditional way of having a USB flash drive.

Though it is worth to note that you should transfer files while on Safe Mode and scan your files for viruses before transferring them over to the flash drive. After completely copying the files, detach the USB stick and proceed with the step by step procedure.