R2Block Ransomware

Posted: November 19, 2020

R2Block Ransomware Description

The R2Block Ransomware is a file-locking Trojan without a known family that blocks Windows PCs' media files. Its encryption isn't reversible for free currently, and attacks include symptoms such as hijacked wallpapers, extension changes and pop-ups in Persian. Users with anti-malware tools should leverage them for removing the R2Block Ransomware as soon as possible and retrieve their files from the latest backup.

An Upcoming Dilemma for Iranians with Windows

Some of the best-known parts of the threat landscape that concern Iranians include high-level industrial saboteur ops and spyware campaigns, such as the Rampant Kitten APT's cyber-rampages. Not surprisingly, the nation also has room for file-locker Trojans, just like Russia, Germany, the US and others worldwide. The R2Block Ransomware is a somewhat rare case of Trojans with encryption features targeting Iranians with high specificity.

The R2Block Ransomware is a .NET Framework Trojan for Windows that implements the usual attacks of encrypting or locking files, adding its extension ('.r2block') to their names, and giving ransom notes to the victims. Unlike some of the currently-populous families of file-locker Trojans, the R2Block Ransomware also hijacks the desktop with a wallpaper that displays its ransom warnings and drops copies of that image throughout the PC's encrypted directories.

Both the R2Block Ransomware's desktop background and its interactive pop-up use Persian (AKA Iranian) for their ransom demands, with no built-in English translations. There are few crucial details in the texts besides the threat actor's mentioning 'sending a movie' and a title bar that refers to the Trojan as 'BMI DataSender.' The latter may refer to the victim sending data to the threat actor in exchange for further file-recovery negotiations or be part of the original disguise that helps trick victims into infecting their computers.

Taking the Data Block Back Out of a Trojan

The R2Block Ransomware's choices of pop-up formatting, dropping of redundant image files, and other features lead malware experts to believe that the threat actor isn't highly-experienced, unlike the creators of, for instance, NEFILIM Ransomware. Still, users at risk from infections are just as much at risk of having any documents and other media in a permanent locked-down state. There is no compatible decryption service for the R2Block Ransomware for free, although victims may submit samples for further investigation into one's potential.

Malware analysts can't verify the R2Block Ransomware's payload for a Restore Point-removing function, and that backup might remain available for recovery. Most users should assume that local backups are at risk and save additional ones to other locations that Trojans like the R2Block Ransomware can't attack. Safe browsing behavior, like avoiding illicit downloads, turning off Flash and JavaScript, and using strong passwords, also mitigates most Trojan-installing exploits.

The R2Block Ransomware isn't a relative of a typical family like the STOP Ransomware, but most PC security products detect it through generic threat characteristics. Windows users can remove the R2Block Ransomware with anti-malware services for limiting damage or avoiding it wholesale appropriately.

Iran isn't the first nation one might think of for file-locking threats. Unfortunately, the R2Block Ransomware and those like it go wherever they can make ransoms, and no country, server or Windows user is safe by dint of residence.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to R2Block Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Home Malware Programs Ransomware R2Block Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.