R980 Ransomware Removal Guide

One careless step online could lead to the infiltration of the malicious R980 Ransomware. If this infection finds its way into your operating system, it can encrypt your personal files and hold them hostage until you pay a set ransom, which, at the moment, is 0.5 BTC. According to the research conducted by our team, this ransomware might hide its malicious launcher in a spam email. For example, you might receive an email from a post office indicating that a package is waiting for collection and that you can collect it using the invoice attached. Needless to say, the message carried within this email seems harmless, and you might open the attachment without even thinking about whether or not you are expecting a package in the first place. If you are tricked, you might end up having to delete R980 Ransomware.

It appears that there are several different versions of the suspicious R980 Ransomware. Some users claim that a malware scanner detects this threat; however, the encryption of files is not initiated, which, of course, is an ideal situation. However, some users detect this threat only after it is done encrypting files. It is not difficult to see if your personal files are encrypted by this infection because all you need to do is check any folder containing documents or photos (maybe these files are also located on the Desktop) and see if they have gained the “.crypt” extension. You will not be able to open these files, and a TXT file (DECRYPTION_INSTRUCTIONS.txt) will be placed next to them to inform you of what is expected from you. Here are a few extracts from the intimidating text file.

!!!!ATTENTION!!!! YOUR FILES HAVE BEEN ENCRYPTED!!!!!
ALL of your documents, photos, databases and other important files have been encrypted with AES - 256 and RSA4096. You will not be able to recover your files without the private key which has been saved on our server.

To decrypt your files you have to pay .5 Bitcoins (BTC).

The background image on your Desktop will also be replaced with the rbg.png (might have a different name) file in the %TEMP% directory, and this is usually the first sign for most users that their operating systems are corrupted. The PNG file uses part of the message from the DECRYPTION_INSTRUCTIONS.txt, but it pushes you to open that file, and this is because this file actually includes the instructions on how to pay the ransom. The process of paying the ransom might be quite difficult for you if you have no experience with Bitcoins, Bitcoin wallets, Bitcoin addresses, etc. Of course, if you follow the instructions provided via the TXT file, the malicious cyber crooks behind R980 Ransomware should get your money quite quickly. The problem is that although the sum demanded is quite low – if you compare it with other infections that might demand up to 5 bitcoins or more – the payment involves dealing with cyber criminals, and they cannot be trusted. What if you spend all your savings and your files remain encrypted after the 24 hour period? Unfortunately, there is a big possibility that this will happen.

It should be obvious that you must remove R980 Ransomware, but what are you supposed to do about the files that are encrypted by this infection. Since there are absolutely no guarantees that paying the ransom demanded by cyber criminals is a guaranteed solution, we cannot recommend paying the ransom. We recommend checking file decryption tools created by legitimate companies. We have not found a tool that would work for this ransomware yet, but we are still hopeful. Unfortunately, most ransomware infections trap users successfully, without any way out. In the best case scenario, you will be able to delete R980 Ransomware without any consequences if your personal files are backed up in an external drive or an online storage cloud. If your files are lost, let this be a lesson that you need to protect your operating system and back up all of your files to prevent damage or loss.

The instructions below show how to remove R980 Ransomware manually, but this process is quite complex because you need to know where the launcher is and you must be able to identify a malicious .exe file and a RUN entry in the Windows Registry.

How to delete R980 Ransomware

1. Identify the malicious launcher and right-click and Delete it.
2. Right-click and Delete all copies of the DECRYPTION_INSTRUCTIONS.txt file.
3. Launch Explorer by tapping Win+E keys on the keyboard.
4. Type %temp% into the address bar at the top and tap Enter.
5. Right-click and Delete the PNG file representing the wallpaper image.
6. Right-click and Delete the malicious .exe file (e.g., Taskhost.exe).
7. Launch RUN by tapping Win+R keys on the keyboard.
8. Type regedit.exe into the dialog box and click OK to launch Registry Editor.
9. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
10. Right-click and Delete the ransomware-related value (e.g., BeeCrypt).