Home Malware Programs Ransomware R2Block Ransomware

R2Block Ransomware

Posted: November 19, 2020

The R2Block Ransomware is a file-locking Trojan without a known family that blocks Windows PCs' media files. Its encryption isn't reversible for free currently, and attacks include symptoms such as hijacked wallpapers, extension changes and pop-ups in Persian. Users with anti-malware tools should leverage them for removing the R2Block Ransomware as soon as possible and retrieve their files from the latest backup.

An Upcoming Dilemma for Iranians with Windows

Some of the best-known parts of the threat landscape that concern Iranians include high-level industrial saboteur ops and spyware campaigns, such as the Rampant Kitten APT's cyber-rampages. Not surprisingly, the nation also has room for file-locker Trojans, just like Russia, Germany, the US and others worldwide. The R2Block Ransomware is a somewhat rare case of Trojans with encryption features targeting Iranians with high specificity.

The R2Block Ransomware is a .NET Framework Trojan for Windows that implements the usual attacks of encrypting or locking files, adding its extension ('.r2block') to their names, and giving ransom notes to the victims. Unlike some of the currently-populous families of file-locker Trojans, the R2Block Ransomware also hijacks the desktop with a wallpaper that displays its ransom warnings and drops copies of that image throughout the PC's encrypted directories.

Both the R2Block Ransomware's desktop background and its interactive pop-up use Persian (AKA Iranian) for their ransom demands, with no built-in English translations. There are few crucial details in the texts besides the threat actor's mentioning 'sending a movie' and a title bar that refers to the Trojan as 'BMI DataSender.' The latter may refer to the victim sending data to the threat actor in exchange for further file-recovery negotiations or be part of the original disguise that helps trick victims into infecting their computers.

Taking the Data Block Back Out of a Trojan

The R2Block Ransomware's choices of pop-up formatting, dropping of redundant image files, and other features lead malware experts to believe that the threat actor isn't highly-experienced, unlike the creators of, for instance, NEFILIM Ransomware. Still, users at risk from infections are just as much at risk of having any documents and other media in a permanent locked-down state. There is no compatible decryption service for the R2Block Ransomware for free, although victims may submit samples for further investigation into one's potential.

Malware analysts can't verify the R2Block Ransomware's payload for a Restore Point-removing function, and that backup might remain available for recovery. Most users should assume that local backups are at risk and save additional ones to other locations that Trojans like the R2Block Ransomware can't attack. Safe browsing behavior, like avoiding illicit downloads, turning off Flash and JavaScript, and using strong passwords, also mitigates most Trojan-installing exploits.

The R2Block Ransomware isn't a relative of a typical family like the STOP Ransomware, but most PC security products detect it through generic threat characteristics. Windows users can remove the R2Block Ransomware with anti-malware services for limiting damage or avoiding it wholesale appropriately.

Iran isn't the first nation one might think of for file-locking threats. Unfortunately, the R2Block Ransomware and those like it go wherever they can make ransoms, and no country, server or Windows user is safe by dint of residence.

Loading...