R2Block Ransomware Description
The R2Block Ransomware is a file-locking Trojan without a known family that blocks Windows PCs' media files. Its encryption isn't reversible for free currently, and attacks include symptoms such as hijacked wallpapers, extension changes and pop-ups in Persian. Users with anti-malware tools should leverage them for removing the R2Block Ransomware as soon as possible and retrieve their files from the latest backup.
An Upcoming Dilemma for Iranians with Windows
Some of the best-known parts of the threat landscape that concern Iranians include high-level industrial saboteur ops and spyware campaigns, such as the Rampant Kitten APT's cyber-rampages. Not surprisingly, the nation also has room for file-locker Trojans, just like Russia, Germany, the US and others worldwide. The R2Block Ransomware is a somewhat rare case of Trojans with encryption features targeting Iranians with high specificity.
The R2Block Ransomware is a .NET Framework Trojan for Windows that implements the usual attacks of encrypting or locking files, adding its extension ('.r2block') to their names, and giving ransom notes to the victims. Unlike some of the currently-populous families of file-locker Trojans, the R2Block Ransomware also hijacks the desktop with a wallpaper that displays its ransom warnings and drops copies of that image throughout the PC's encrypted directories.
Both the R2Block Ransomware's desktop background and its interactive pop-up use Persian (AKA Iranian) for their ransom demands, with no built-in English translations. There are few crucial details in the texts besides the threat actor's mentioning 'sending a movie' and a title bar that refers to the Trojan as 'BMI DataSender.' The latter may refer to the victim sending data to the threat actor in exchange for further file-recovery negotiations or be part of the original disguise that helps trick victims into infecting their computers.
Taking the Data Block Back Out of a Trojan
The R2Block Ransomware's choices of pop-up formatting, dropping of redundant image files, and other features lead malware experts to believe that the threat actor isn't highly-experienced, unlike the creators of, for instance, NEFILIM Ransomware. Still, users at risk from infections are just as much at risk of having any documents and other media in a permanent locked-down state. There is no compatible decryption service for the R2Block Ransomware for free, although victims may submit samples for further investigation into one's potential.
The R2Block Ransomware isn't a relative of a typical family like the STOP Ransomware, but most PC security products detect it through generic threat characteristics. Windows users can remove the R2Block Ransomware with anti-malware services for limiting damage or avoiding it wholesale appropriately.
Iran isn't the first nation one might think of for file-locking threats. Unfortunately, the R2Block Ransomware and those like it go wherever they can make ransoms, and no country, server or Windows user is safe by dint of residence.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to R2Block Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.