R44s Ransomware

What is R44s Ransomware?

R44s Ransomware is an infection that was created with billions of people in mind. When it encrypts files, it drops nine different versions of the same ransom note file, all of which represent messages in nine different languages, including Spanish, Dutch, Italian, German, French, Russian, Farsi, Chinese, and English. The names of these files are “LEAME_PARA_DESCIFRAR_ARCHIVOS.txt,” “LEESMIJ-BESTAND_VOOR_HET_DECODEREN_VAN_BESTANDEN.txt,” “LEGGIMI_PER_DECIFRARE_I_FILES.txt,” “LESEN_SIE_MICH_UM_DATEIEN_ZU_ENTSCHLUSSELN.txt,” “LISEZ-MOI_POUR_DECHIFFRER_LES_FICHIERS.txt,” “PROCHTI_MENYA_DLYA_RASSHIFROVKI_FAYLOV.txt,” “شروع_رمزگ_شایی.txt,” “重新解密文件.txt,” and “README_TO_DECRYPT_FILES.html.” Although these files are not malicious per se, you want to delete them all. Of course, it is most important that you remove R44s Ransomware files that are responsible for encrypting your personal files. Even though that will not help you recover your files, that will help you move towards a malware-free operating system.

How does R44s Ransomware work?

R44s Ransomware, according to Anti-Spyware-101.com malware researchers, is most likely to spread using spam emails and bundled downloaders. One sample that was tested in our internal lab used a PDF file icon to conceal the launcher executable file. Needless to say, this is a clever way to fool more gullible and less careful Windows users who might not suspect a thing when they see a file that looks like a PDF document. Unfortunately, as soon as the file is opened, R44s Ransomware starts its attack. First and foremost, this malware encrypts your personal files, after which, you should discover the “.r44s” extension appended to all original names. When you see this extension, you can be sure that the file is unreadable. It is unreadable because the attackers cipher the data to make sure that you are sort of “locked out.” On the Desktop and in %PUBLIC%, you should find the .TXT and .HTML files with the ransom note inside. Regardless of which language the ransom note is introduced, the instructions inside are always the same. Victims who want to restore files are meant to send 1 Bitcoin to 1X3eCf1JriycNiWwpNHyQamZS1pApE8XX and then send a unique ID key and the confirmation of the transaction to pc.master@aol.com.

At the time of research, the attackers’ Bitcoin wallet was empty, which means that no one has transferred the ransom of 1 Bitcoin. This crypto-currency is very unstable, but during our analysis, 1 Bitcoin was between 6,500 and 7,000 US Dollars. Needless to say, this is not a small sum, and so even if you might be interested in paying it, you might be unable to gather the funds. Well, whether or not you have the money, you are unlikely to get your files back if you pay the ransom, so keep it to yourself. The image displayed as the Desktop wallpaper (this is represented using “wallpaper.jpg” on Desktop) is meant to push you to pay the ransom as well, but do not give in. Hopefully, you do not need to wonder what should be done because you have copies of personal files stored somewhere safe. Even if you cannot replace all corrupted files, if you can replace the most important photos, docs, and other personal files, you should be able to beat R44s Ransomware. Of course, if you can replace the encrypted files with backups, you should do that only after you delete the malicious infection. What about third-party decryption tools? None that would work existed at the time of research, but if you are going to install something, please be careful.

How to remove R44s Ransomware

We do not think that every victim of R44s Ransomware will be able to delete it manually. Of course, if you know where the launcher of the infection landed, you might be able to locate and delete it successfully. In that case, following the guide below – which shows how to eliminate the remaining components – should be easy enough. Another option you have is to install a legitimate anti-malware program. Once you set it up, it can thoroughly scan your entire operating system to detect threats, and it also can perform the removal automatically. Beyond that, it can secure your system to ensure that you do not need to deal with new infections in the future. Note that even if you delete R44s Ransomware manually, your Windows operating system will remain vulnerable, and it is up to you to figure out how you protect it against new invaders. Our last advice for you is to always back-up personal files because you never know when you might need copies.

Removal Guide

1. Delete recently downloaded suspicious files.
2. Tap Win+E keys on the keyboard to access File Explorer.
3. Enter %APPDATA% into the quick access field at the top.
4. Delete a malicious .exe file (in our case, it was named ti19yhr.exe).
5. Enter %PUBLIC% into the quick access field.
6. Delete a malicious .exe file (in our case, it was named r44s_2020-04-01 0152.exe).
7. Delete the ransom note file:
   • LEAME_PARA_DESCIFRAR_ARCHIVOS.txt
   • LEESMIJ-BESTAND_VOOR_HET_DECODEREN_VAN_BESTANDEN.txt
   • LEGGIMI_PER_DECIFRARE_I_FILES.txt
   • LESEN_SIE_MICH_UM_DATEIEN_ZU_ENTSCHLUSSELN.txt
   • LISEZ-MOI_POUR_DECHIFFRER_LES_FICHIERS.txt
   • PROCHTI_MENYA_DLYA_RASSHIFROVKI_FAYLOV.txt
   • شروع_رمزگ_شایی.txt
   • 重新解密文件.txt
   • README_TO_DECRYPT_FILES.html
8. Exit File Explorer and then move to the Desktop.
9. Delete the file named wallpaper.jpg and then set the desired Desktop wallpaper image.
10. Also, Delete the ransom note files (check step 7).
11. Launch Run by tapping Win+E keys and then enter regedit into the dialog box.
12. In Registry Editor, go to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
13. Delete the value named Message-2019 and then exist Registry Editor.
14. Empty Recycle Bin and then immediately install a legitimate malware scanner.
15. Perform a full system scan to make sure that you did not leave any components behind. Download Removal Tool100% FREE spyware scan and
    tested removal of R44s Ransomware*