R3tr0 Ransomware
R3tr0 ransomware is a newly discovered strain of file-encrypting malware. The R3tr0 ransomware belongs to the wider family of Dharma ransomware clones.
When deployed on a target system, the ransomware behaves as expected - it encrypts the majority of files, leaving system-essential files alone. Encrypted filetypes include media files, documents, archives and database files.
Once encrypted, file names are changed, appending several strings to them, including the victim ID, the email used by the ransomware operator and the ".r3tr0" extension. In this way, a file named "picture.jpg" will turn into "picture.jpg.id-[alphanumeric ID string].[r3trocrypt@tuta.io].r3tr0.
The ransom note is dropped inside a couple of files, both plain-text and a HTML file, named Info.txt and Info.hta.
The full text of the ransom note in the HTA file goes as follows:
RETRO-ENCRYPTED
r3tr0
Don't worry, you can return all your files!
If you want to restore them, write to the mail: r3tr0crypt at tuta dot io YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:r3tr0crypt at msgsafe dot io
ATTENTION!
We recommend you contact us directly to avoid overpaying agents
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The ransom message in the TXT file is as follows:
all your data has been locked us
You want to return?
write email r3tr0crypt at tuta dot io or r3tr0crypt at msgsafe dot io