Rtg Ransomware Uses Russian Ransom Note

During a routine review of new file samples, our research team made a significant discovery: the Rtg ransomware, a variant belonging to the Xorist ransomware family. This malicious program operates by encrypting data and then demanding ransoms for the decryption key.

Upon testing the Rtg ransomware on our experimental machine, we observed that it effectively encrypted files and modified their filenames by adding a ".rtg" extension. For instance, a file originally named "1.jpg" would now appear as "1.jpg.rtg," "2.png" as "2.png.rtg," and so on.

Upon completion of the encryption process, the ransomware generated identical ransom notes in two formats: a text file labeled "КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt" and a pop-up window. Notably, the text in the pop-up window may appear as unintelligible gibberish on systems that lack the Cyrillic alphabet installed, depending on the OS version.

The ransom message explicitly states that the victim's files have been securely encrypted. The victim is given a 24-hour window to make contact with the attackers; otherwise, the crucial decryption key required for data recovery will be permanently deleted.

Rtg Ransom Note Written in Russian

The complete text of the Rtg ransom note reads as follows:

Ваши файлы были зашифрованны. Для того что бы расшифровать свои файлы, Вам необходимо написать нам, на адрес почты, который указан ниже.

resk94043@rambler.ru

Ждем ответа сегодня, если не получим ответа , удаляем ключи расшифровки Ваших файлов

Мы Вам написали:
t1503@bk.ru
или
ooosk-ural@yandex.ru

Если не получили письмо, Ждем ответа с другой почты.!

How is Ransomware Like Rtg Distributed Online?

Ransomware like Rtg is typically distributed online through various methods, exploiting vulnerabilities and taking advantage of human behaviors. Here are some common distribution methods used by ransomware, including Rtg:

• Phishing Emails: Phishing emails are one of the most prevalent ways ransomware is distributed. Cybercriminals send deceptive emails pretending to be from legitimate sources, luring recipients into clicking on malicious links or downloading infected attachments. These emails often contain urgent or enticing messages to trick users into taking action.
• Malicious Websites and Downloads: Ransomware can be distributed through compromised websites or fake download links. Users may unknowingly download infected software, cracked applications, or fake updates, leading to the installation of ransomware on their systems.
• Exploit Kits: Cybercriminals use exploit kits to target known vulnerabilities in software or browsers. When a user visits a compromised website, the exploit kit automatically identifies and exploits these vulnerabilities to deliver the ransomware payload.
• Malvertising: Malicious advertisements, or malvertising, can be injected into legitimate websites to redirect users to malicious websites hosting ransomware. These ads may appear on popular websites or ad networks, making them difficult to avoid.
• Drive-by Downloads: Drive-by downloads occur when users visit compromised or malicious websites, and the ransomware is automatically downloaded and executed without their knowledge or consent.