RIGD ransomware seeks to extort you by keeping your personal files encrypted
- RIGD ransomware seeks to extort you by keeping your personal files encrypted
- How ransomware-type viruses are distributed
- Remove RIGD Ransowmare Virus and Decrypt .rigd Files
- Decrypt RIGD files
- Frequently Asked Questions
RIGD ransomware is a type of malicious computer virus originating from the infamous STOP/DJVU malware family. After breaking into the target system, this virus encrypts all files in every directory using RSA Salsa20 algorithm, marks each file with an extra .rigd extension, and drops a ransom note called _readme.txt behind. To illustrate, a file originally called 1.jpg appears as 1.jpg.rigd after the cyber attack and becomes impossible to open. The ransom notes created by the virus deliver a message from cyber criminals who operate this ransomware. According to it, the attackers expect the victim to pay a ransom worth $490 in three days or double the price later. They suggest contacting them via two provided emails (email@example.com, firstname.lastname@example.org) for further payment details and instructions how to get RIGD decryption tool.
The sole aim of RIGD ransomware virus is to function as a virtual extortion tool that locks files on the target computer, thus preventing access to them. To securely restrict access to these files, the virus uses a sophisticated military-grade encryption algorithm. In addition, the threat attempts to make the encrypted data distinguishable by appending new extensions to them (in fact, STOP/DJVU variants are named after extensions they use to mark encrypted data). Once the virus gets control of victim’s data, it starts demanding for a large money amount as a ransom. As stated in the ransom note, paying the ransom will provide the victim with data decryption tool and key.
If you’ve fallen victim to this ransomware attack, there are some interesting details about the virus’ algorithm that you might want to know. This ransomware is set to encrypt the very first 150KB of each file, which helps to corrupt the file quickly and proceed to another file immediately. The point of this is to keep the whole system attack speedy. However, this encryption method also has a flaw since certain data formats such as audio or video files can be repaired and restored with some data loss at the beginning of the file. You can learn more about decrypting or repairing encrypted files in this guide.
The virus leaves the ransom note (_readme.txt) in every folder. It starts with a line “ATTENTION! Don’t worry, you can return all your files” and continues to explain that all pictures, databases, documents and other file formats were encrypted using “strongest encryption and unique key.” Next, the note mentions that the only possible way to recover these files is to purchase RIGD decryption tool and key from the ransomware developers. In addition, the note suggests that the victim can test the decryption. In order to do it, the victim has to send one encrypted file to attackers via provided emails and expect a decrypted version of the file in return. However, the full data decryption costs $490 if the victim writes to the attackers and pays within 3 days. If the victim delays this for any longer, the price rises to $980. Of course, the attackers expect the victim to make the transaction using cryptocurrency such as Bitcoin as this helps to keep them anonymous.
If you’re wondering whether you should pay up or not, we’d like to advise you not to do it. Cybersecurity experts from our team provide several reasons why paying a ransom to cybercriminals is a bad idea. Same thoughts are confirmed by FBI recommendations for ransomware victims as well.
- Remember that cybercriminals might not do what they promised after receiving your money. In other words, there is no way you can hunt them down and make them give your money or files back.
- Ransomware operators collect millions of US dollars each year. The insane amounts of income malware generates lures other people to join these operations as affiliates. Please, do not pay your hard-earned money for cybercriminals who extort people!
- Paying a ransom might be viewed as an illegal act in certain countries.
- Viruses from STOP/DJVU ransomware family such as RIGD often carry AZORULT Trojan alongside them and drop it on compromised computers. It is malware that steals private information that can be used for further blackmail.
REPAIR VIRUS DAMAGE
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
Details about the ransomware’s functionality
After being launched on the target computer, RIGD ransomware checks whether the computer has a stable Internet connection and attempts to connect to its Command&Control server to get a unique encryption key. If this fails, the ransomware uses a hardcoded “offline” key to encrypt files instead. This offline key can be recognized as victim’s personal ID should normally end in t1 in such cases.
The virus begins the attack by launching winupdate.exe, a fake program that mimics a Windows update prompt. This is done in order to deceive the victim and justify a sudden system slowdown, yet convince the victim not to do anything about it. The ransomware then runs the main executable which is designed to encrypt all files on the system, drop ransom notes and also delete Volume Shadow Copies from the system using a Command-Line task:
vssadmin.exe Delete Shadows /All /Quiet
Removing VSS prevents the victim from using System Restore points to restore some encrypted files for free. In other words, the malware checks everything to prevent the victim from restoring locked data without paying. To cause even more stress, the ransomware also adds a list of domains to Windows HOSTS file and maps them to localhost IP. As a result, whenever the victim attempts to access one of these sites, DNS_PROBE_FINISHED_NXDOMAIN error will show up because of DNS resolution error. It is believed that ransomware operators do this to prevent the computer user from reaching cybersecurity and computer related information online which could lead to successful ransomware removal and data recovery.
One of the reasons why the virus blocks a list of computer related domains is probably the fact that it also silently launches AZORULT Trojan on the system. It is an information-stealing Trojan that can be controlled by the attacker remotely. In other words, if you get infected with this Trojan, cybercriminals can remotely perform a list of actions on your computer such as:
- Download various computer malware and running it;
- Take various login credentials, such as those of Telegram, Steam and other programs and send them to criminals;
- View or delete files on the victim’s computer;
- Steal cryptocurrency wallets and their contents;
- Steal browser-saved passwords, browser cookies, browsing history and more.
If you have fallen victim to this ransomware, we suggest that you do not delay any longer and take action to secure your computer as soon as possible. We strongly recommend you to scan your computer with professional security software such as INTEGO Antivirus to remove RIGD ransomware virus and related threats safely. Additionally, we recommend downloading and running a system scan with RESTORO to repair virus damage on Windows OS files.
|Name||RIGD Ransomware Virus|
|Type||Ransomware; Crypto-malware; Virtual Extortion Virus|
|Encryption type||RSA Salsa20|
|Previous versions||BBYY, BBII, BBZZ, BBII, HKGT, EFVC, EIJY (find full list here)|
|Dropper||SmokeLoader (see VirusTotal details)|
|Damage||The ransomware locks files on the compromised computer using military-grade encryption algorithm. The encrypted files can be identified from additional .rigd extensions appended to the original file names. The ransomware creates and saves _readme.txt notes in every file directory. The threat deletes Volume Shadow Copies to prevent easy data recovery for the victim and adds a list of restricted domain names to Windows HOSTS file. Some variants of this ransomware strain tend to drop AZORULT Trojan on the system.|
|Ransom demand||$490-$980 in Bitcoin|
|Distribution||Victims often download this ransomware along illegal torrent downloads, cracked software, key generators or tools like KMSPico.|
|Detection names||Trojan:Win32/Glupteba (Microsoft), VHO:Trojan-Spy.Win32.Stealer.gen (Kaspersky), Gen:Variant.Graftor.974954 (BitDefender), ML.Attribute.HighConfidence (Symantec), W32.Trojan.Gen (Webroot) see all detection name variations on VirusTotal|
|Removal||Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO.|
REPAIR VIRUS DAMAGE
How ransomware-type viruses are distributed
RIGD ransomware virus is essentially similar to previous STOP/DJVU versions, and it seems that the operators behind these threats do not tend to switch their distribution techniques often. Almost all versions from this ransomware strain travel in illegal torrent downloads such as software cracks, keygens and other tools used to activate paid software licenses for free. Therefore, if you’re into such downloads, remember that you expose yourself to a high risk of getting infected one day. Cybercriminals target this user group as they’re highly likely to ignore security software warnings and proceed to open the illegal download anyway, hoping that it will deliver a fully functional version of the software they need. Sadly, such actions are the straightest way to compromise your computer with severe malware.
Users who became victims of STOP/DJVU malware report getting the ransomware along software cracks for these popular programs:
- Adobe Photoshop;
- Corel Draw;
- League of Legends;
- Tenorshare 4ukey;
- Wondershare Filmora;
- Adobe Illustrator;
- Windows activation tools such as KMSPico.
If you’d like to avoid getting infected from such downloads, we suggest you to stay away from torrent downloads altogether. Trying to get paid content for free can only bring you problems. In order to get genuine software versions, you should always head to official software developer’s website. Besides, legitimate software licenses hardly ever cost more than amounts of money cybercriminals demand for data recovery.
Another well-known technique to spread malware (including ransomware) is to inject a malicious script into popular document formats such as DOCX, PDF or XLS and attach it to emails. Scammers then compose a convincing message, imposing someone from a well-known company or a colleague of the victim, and ask to open the attached contents immediately. Sadly, opening these can result in a severe data corruption right away. Most of the time, the scammers will name the attachments as “Invoice,” “Payment information,” “Waybill,” “Tracking details” or “Order Details” and similar.
Our suggestion to avoid getting infected is to only open emails from people you know and communicate with regularly. If some email comes unexpected and seems suspicious, stay away from it. More importantly, if you can sense that the sender urges you to interact with attachments, it can be a sign that there’s some malware hidden in it.
Finally, we strongly recommend you to avoid downloading suspicious decryption tools off questionable websites. There have been cases of fake STOP/DJVU decryption tools hiding ZORAB ransomware payload in them. In other words, do not expect to find a gem solution on suspicious websites online – if an official decryption tool appears, every news website will write about it, since this ransomware strain is one of the largest and most actively attacking computer users daily.
Remove RIGD Ransowmare Virus and Decrypt .rigd Files
The first step you should take in order to recover from this cyber incident is to remove RIGD ransomware virus and related threats from your Windows system. You should follow the instructions given below, but you need to use a robust security software to cleanse your system professionally. If you do not have it yet, we strongly recommend INTEGO Antivirus, a VB100 certified software with excellent malware detection rate.
Once you complete RIBD ransomware virus removal, we also recommend downloading RESTORO to repair virus damage on Windows OS files.
- Let your local cybercrime authorities know about the Internet crime incident that you’ve became a victim of.
- Take your data backup (if you had it) to restore some files. Make sure you do it after removing all malware from the system.
- See these instructions to decrypt or repair files affected by STOP/DJVU versions.
- We also recommend changing your passwords, especially for websites that you save login credentials for in your browser.
OUR GEEKS RECOMMEND
Our team recommends removing malware using a professional antivirus software and then using the following tool to repair virus damage to Windows system files:
REPAIR VIRUS DAMAGE TO YOUR COMPUTER
RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically.
RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them.
Read full review here.
RIGD Ransomware Virus Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove RIGD Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove RIGD Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus, which also includes data recovery software. For virus damage repair, consider using RESTORO.
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt RIGD files
Fix and open large RIGD files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
- Create a copy of encrypted file to a separate folder using Copy > Paste commands.
- Now, right-click the created copy and choose Rename. Select the RIGD extension and delete it. Press Enter to save changes.
- In the prompt asking whether you want to make the changes as file might become unusable, click OK.
- Try opening the file.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. RIGD Ransomware Virus is considered the new STOP/DJVU variant, just like BBYY, BBII, BBZZ, BBII, HKGT, EFVC, EIJY (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt RIGD files, follow the given tutorial.
- Download the decryption tool from Emsisoft.
- Click the little arrow next to your download and choose Show in Folder.
- Now, right-click the file and choose Run as Administrator. If asked, enter administrator's password.
- In UAC window, click Yes.
- Click Yes to agree to software terms in both windows.
- The tool will automatically include C:// disk as a location to decrypt. The file recovery tool will prepopulate the locations to scan, including connected data storage drives or network drives. Click Add folder if you wish to add additional locations.
In Options tab, you can choose to keep encrypted file copies. We recommend leaving this option selected, especially if you do not know if the decryption tool will work.
- Click Decrypt to start restoring RIGD files. You will see the progress in the Results tab. Here, you can see messages from the tool, such as whether the decryption procedure is successful, or you need to wait for an update.
You might also be informed that online key was used to encrypt your files. In such case, the decryption tool won't work for you, and the only way to recover your files is to use a data backup.
Meanings of decryptor's messages
The RIGD decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your RIGD extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of RIGD Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
- In the United States, go to the On Guard Online website.
- In Australia, go to the SCAMwatch website.
- In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.
- In Ireland, go to the An Garda Síochána website.
- In New Zealand, go to the Consumer Affairs Scams website.
- In the United Kingdom, go to the Action Fraud website.
- In Canada, go to the Canadian Anti-Fraud Centre.
- In India, go to Indian National Cybercrime Reporting Portal.
- In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
Frequently Asked Questions
You can only open RIGD files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official RIGD decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake RIGD decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.