R980 Ransomware Removal Guide

Do you know what R980 Ransomware is?

R980 Ransomware is a highly malicious application set to enter your computer using covert means. If you do not have an anti-malware program, then it will encrypt your files and demand that you pay a ransom to get them back. However, there is a problem, and it lies in the fact that the cyber criminals might not give you the necessary decryption key after you pay. Our security analysts suggest removing it using the guide provided at the end of this short article. In it, we will discuss this ransomware’s distribution methods, functionality, encryption method, and more, so if your PC has been infected with it, then please continue reading.

Our security specialists have concluded that this ransomware is still in the development phase, but its creators have released it regardless. Therefore, some of the information that we provide may be subject to change, especially its distribution methods. Speaking of which, researchers say that R980 Ransomware is most likely disseminated via email spam sent from a dedicated server. To our knowledge, it does not target a particular demographic or location, so it seems that the emails are sent to random email addresses. Our researchers have obtained R980 Ransomware’s executable’s sample. However, they have yet to see an example of the fake emails that its server sends, so we do not know how the cybercriminals trick people into thinking that the emails are legitimate. In any case, researchers have received unconfirmed information that the fake emails feature a file archive attachment that when extracted drops this ransomware’s executable to your specified location and copies it to %TEMP%.R980 Ransomware Removal GuideR980 Ransomware screenshot
Scroll down for full removal instructions

R980 Ransomware consists of one file named Taskhost.exe, but it also creates other files, but they are not considered malicious. When the encryption process is complete, this ransomware creates a file called DECRYPTION_INSTRUCTIONS.txt that should be placed on the desktop and in all folders where file have been encrypted. Furthermore, it creates a file called rbg.png. It is an image file, and it is placed in %TEMP%. This file is set as the desktop wallpaper, and it features the same text found in DECRYPTION_INSTRUCTIONS.txt. To put it simply, both of these files act as ransom notes.

The ransom note states that “ALL of your documents, photos, databases and other important files have been encrypted with AES – 256 and RSA4096.You will not be able to recover your files without the private key which has been saved on our server.An antivirus can not recover your files.” Indeed, this ransomware targets file types that include but are not limited to .3GP, .7Z, .APK, .AVI, .BMP, ,DOC, .EPUB, .DOCX, RTF, .SCR, .SWF, .XLS, .XLSX, .XPS, and so on. It can encrypt close to a hundred file formats, and it appends them by adding the .crypt extension onto files. R980 Ransomware uses the AES-256 and the RSA-4096 encryption algorithms which mean that the encryption is strong and will be difficult to break.

The cyber criminals want you to pay a ransom 0.5 BTC which is approximate $302 USD. Clearly, this is a substantial sum of money that not everyone can afford to pay. In any case, even if you pay the ransom there is no guarantee that you will get the decryption key. Therefore, we recommend that you remove it instead because if you pay the ransom, then you will finance the development of new ransomware.

Since this ransomware is still in development, some things discussed in this article are subject to change. For example, the name of the main executable may change. In any case, you can remove it if you want to with an anti-malware tool. Our malware specialists recommend using SpyHunter as it is frequently updated and can detect malware quickly. Furthermore, our researchers have produced a manual removal guide for this early version of R980 Ransomware.

Delete this ransomware

  1. Find and delete the malicious executable.
  2. Press Windows+E keys.
  3. Type %TEMP% in the address box.
  4. Find rbg.png and Taskhost.exe and delete them.
  5. Find and delete all DECRYPTION_INSTRUCTIONS.txt files.

Delete the registry key

  1. Press Windows+R keys.
  2. Type regedit in the box and click OK.
  3. In the Registry Editor, go to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  4. Find the registry string named BeeCrypt.
  5. Right-click it and click Delete.

In non-techie terms:

R980 Ransomware is a typical ransomware that can enter your computer when you extract and run its executable that comes in a fake email attachment. This ransomware uses advanced encryption ciphers to encrypt your files and demand that you pay a ransom for the decryption key. However, the cyber crooks might not give you the key, so you might as well delete from your PC using an anti-malware tool or our guide.