Home / Spyware Help / RSA Ransomware Removal Guide

RSA Ransomware Removal Guide

by 0 Comments

Do you know what RSA Ransomware is?

You might be unable to pinpoint the moment that RSA Ransomware slithered in, but you should be able to tell when this malicious threat revealed itself to you. Most likely, you were first introduced to a message delivered using a window that was launched automatically. Unfortunately, if that is the case, your files are already encrypted, and there is nothing you can do to reverse the process. The situation is the same if the first sign of this malware was the “.id-{random}.[rsa1024@tutanota.com].RSA” extension appended to the names of your personal files. Removing this extension and renaming the file is easy, but that is not how files are decrypted. In fact, when we researched this threat, decrypting files was not yet possible. Nonetheless, even if you cannot help you with that, we can help you delete RSA Ransomware.

For our malware experts, it took one glace to figure out that RSA Ransomware is part of the infamous Crysis Ransomware – also known as Dharma Ransomware – family. We have analyzed hundreds of infections from this family (e.g., VIRUS Ransomware, Start Ransomware, or Asus Ransomware), and we have created removal guides for all of them individually. That being said, there are more similarities than differences between these infections, and, for the most part, the same steps have to be taken to have them deleted. Even the distribution paths are likely to be the same for all of these threats. According to our researchers, spam emails and unsecured RDP systems are exploited most often. So, is remote access enabled on your system? Have you skipped any important updates lately? Do you remember opening spam email attachments? If you answer these questions, you might be able to detect the launcher.RSA Ransomware Removal GuideRSA Ransomware screenshot
Scroll down for full removal instructions

When the “rsa1024@tutanota.com” window shows up, you are informed that files were encrypted. The message also declares that you need to purchase a decryption tool in order to have your files decrypted. RSA Ransomware was created to make money, and cybercriminals are not hiding it. Of course, you should not just assume that they are transparent. Their goal is to make money, and while they promise to provide you with a decryptor if you contact them (via rsa1024@tutanota.com or rsa1024@cock.li) and then pay a ransom in Bitcoin, you cannot trust them blindly. What about the one file that they can decrypt for free? First of all, you should not email the attackers behind RSA Ransomware unless you want to face new scams. Second, who can force the attackers to provide you with a decryptor? No one can, and if you think that they would keep your feelings in mind, you are mistaken. Besides the window message, the infection also uses the “FILES ENCRYPTED.txt” file to reiterate it. This file must be deleted.

The invasion of RSA Ransomware is a lesson. If your system was protected, you would not need to worry about the infection at all. If your files were backed up, you could easily replace the locked files with the copies that are stored someplace safe. Therefore, it is not enough to just think about RSA Ransomware removal. You also need to think about your virtual security and your personal files. This is why we advise implementing anti-malware software. It would simultaneously delete the infection and also reinstate full protection. As for the files, if they were encrypted, but backups do not exist – tough luck. If you have backups, you will be able to use them as replacements after removal. Remember to backup in the future!

Delete RSA Ransomware

  1. Find the malicious .exe file that launched the threat and Delete it.
  2. Go to the Desktop and Delete the file named FILES ENCRYPTED.txt.
  3. Simultaneously tap Win+E keys on the keyboard to access Windows Explorer.
  4. Enter these paths into the bar at the top to access the locations of malicious files and then Delete them (one file is called Info.hta and the other is an .exe file with a random name):
    • %APPDATA%
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %WINDIR%\System32\
  5. Simultaneously tap Win+R keys on the keyboard to launch the Run dialog.
  6. Enter regedit into the box and click OK to access Registry Editor.
  7. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  8. Delete values that represent the files deleted in step 4.
  9. Empty Recycle Bin and then immediately install a trusted malware scanner.
  10. Perform a thorough system scan using the tool to check whether or not there is anything else to remove.

In non-techie terms:

RSA Ransomware is an extremely dangerous infection because the mess it creates cannot be resolved easily. In fact, at the time of research, it could not be resolved at all. Although you might be able to remove RSA Ransomware manually or, better yet, using anti-malware software, restoring the encrypted files is not yet possible. The attackers want you to believe that they can decrypt all files if you pay the ransom, but they cannot be trusted, and we do not recommend contacting them and paying the ransom. Although your operating system might have lacked reliable protection, you might still have backups stored someplace safe. If you do, you have replacements, and if you have replacements, no one can ever force you to pay for a strange, unverifiable decryptor. If you do not want to end up losing your personal files in the future, you need to have backups stored outside the computer for all files at all times.