RIGH ransomware attacks to encrypt data on victim’s PC
Contents
RIGH ransomware is the 190th version of DJVU malware that employs asymmetric encryption to lock all victim’s files on the computer. The virus targets Windows computers and aims to prevent data access to force the victim pay a ransom. Each affected file gets marked with .righ file extension, and the virus also drops _readme.txt ransom note in every affected data folder. The ransom note commands the victim to contact criminals via datarestorehelp@firemail.cc or datahelp@iran.ir and pay a ransom of $490-$980 in Bitcoin.
The ransomware typically hides in malicious online downloads. Once opened, the malicious file runs the RIGH ransomware executive which then disables security programs, firewalls, and deletes Volume Shadow Copies. The virus begins the encryption process by scanning all file system. It has a target list of file extensions to corrupt, and bypasses folders that hold system files. Its primary goal is to restrict access to personal files (years of work, precious memories such as photos, videos, and similar).
RIGH ransomware deletes any system restore points to prevent victims from restoring their files easily. Therefore, only people who have backups will succeed in recovering files quickly.
The ransomware developers are the only ones who have private keys required for data decryption. Therefore, they suggest contacting them via provided emails and pay a ransom of $490 if paid within 72 hours from the infection. Otherwise, the price goes up to $980.
This STOP/DJVU ransomware variant is extremely dangerous as it also infects the host computer with Azorult Trojan. This Trojan is capable of stealing private information like login credentials and even more.
As you may have guessed, the first thing you need to do is wipe your computer from malware. Therefore, we suggest you to remove RIGH ransomware virus using free instructions provided at the end of this article.
Identify if your files were encrypted by offline or online key
RIGH file virus encrypts files using online or offline keys depending on its success to establish connection with its Command & Control server. In case the attempts to connect are unsuccessful, the virus encrypts files using offline key, which is the same for all victims of one extension ransomware attack.
To clarify, RIGH malware has only one offline key. This is why it is easier for security experts to extract it and use it to help victims of offline key encryption. However, if you were affected by the online key (each victim gets a different key), it is nearly impossible to recover your files.
Victims might decrypt .righ extension files in the future using STOP decrypter.
Please keep in mind that this is only possible if an offline key was used for your data encryption.
Threat summary
Name | RIGH ransomware virus |
Type | Ransomware; File-encrypting virus (STOP/DJVU variant) |
Encryption | RSA |
Symptoms | Can’t open files with .righ file extension |
Ransom note | _readme.txt |
Ransom demand | $490 or $980 |
Contact emails | datarestorehelp@firemail.cc or datahelp@iran.ir |
Distribution | Malicious downloads, including software cracks, keygens, illegal activation tools |
Decryption | Not possible. Decryption will be possible for offline key victims (see more info below) |
Additional details | Installs AZORULT Trojan |
Removal | Remove using antivirus with a help of a guide provided below |
The virus reaches victims via illegal downloads
RIGH ransomware virus victims typically install the malware by opening malicious downloads such as software cracks. Please keep in mind that such files are very dangerous and are used for illegal activation of paid software.
Malware creators love packing such downloads with various viruses, so you should keep distance from them at all times. The same distribution method has been used to spread MSOP, HETS, ZOBM and ROTE variants.
Ransomware is also frequently transmitted via phishing emails and infected websites. As a matter of fact, ransomware distribution continuously evolves and new ways to spread it emerge every now and then. Therefore, we present these ransomware prevention methods for you.
The best way to remove RIGH ransomware
You can remove RIGH ransomware virus for free using the instructions provided below this post. We also advise using antivirus software of your choice to escort the malware from the computer safely.
Only after a successful RIGH ransomware removal you can do further steps to secure yourself and try to recover some files. First of all, we suggest changing all of your login data as the Azorult Trojan could have stolen it already. Next, we recommend you to learn more about DJVU decryption by reading this article.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
RIGH Ransomware Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove RIGH Ransomware files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
FAQ
RIGH is a file-encrypting virus which is named after extensions it adds to encrypted files. In short, it is the 190th variant of STOP/DJVU ransomware. This virus restricts access to personal files by encrypting them with RSA cryptography.
RIGH ransomware encrypts files using online or offline keys. You can hope to restore files if you’re subject to offline key encryption. However, you need to wait for STOP decryptor update. The solution doesn’t come easy or quick.
To find out whether your files were encrypted by online or offline key, go to C:\SystemID\PersonalID.txt and look at IDs listed here. If any of them end with t1, it indicates usage of an offline key. It also means that part or all of your files can be recovered as soon as the aforementioned decryption tool gets an update.
RIGH extension virus is a very new version of STOP/DJVU, so we’d say give a few weeks or a month for the decryption means to appear. Remember, this applies only if your files were affected by the offline key. There is no solution for online key victims.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
kamran says
hi
A few years ago, I was attacked by ransomware with the righ extension.
Is there a software to break the righ file?
Kübra Yıldız says
My files have RIGH extension, is there any possibilities to recover files in the future?
Ellaine says
My files have RIGH extension, is there any possibilities to recover files in the future?