Geek's Advice

RIGJ ransomware uses encryption to restrict victim’s access to computer files

RIGJ ransomware is recognized as a new variant of virus from the infamous STOP/DJVU ransomware family. This virus infects computers disguised as a software crack and encrypts all personal files using a combination of Salsa20 and RSA-2048 encryption algorithms. During the attack, the ransomware marks each encrypted file with .rigj extension to make it recognizable. For instance, a file originally titled as 1.jpg becomes 1.jpg.rigj after being modified by the virus. To provide the victim with option to decrypt .rigj files, the ransomware drops notes called _readme.txt throughout the computer system. The ransom note instructs to contact cybercriminals via email for further information.

The sole aim of RIGJ ransomware virus is to lock your files using a technology that’s typically used to secure information transmission. The cybercriminals put it to bad use and therefore encrypt your files illegally, harassing you to keep your files encrypted forever if you refuse to pay up. In addition, they introduce the pricing of RIGJ decryption tool. The price of it, according to _readme.txt contents, ranges between $490 and $980. If the victim writes to the attackers via given emails (manager@mailtemp.ch or helprestoremanager@airmail.cc) and settles an agreement within 72 hours, the price of the decryption will be lower, otherwise the victim needs to pay full price.

The criminals also recommend sending one encrypted file to them to get it decrypted for free. Unfortunately, they may refuse to decrypt it if they discover that it contains valuable information. The point fo the test decryption isn’t to restore valuable information to you – it is simply used to encourage you to pay a ransom after proving that the offenders actually can restore your data.

If your files were encrypted, you should know that decryption of files affected by STOP/DJVU is only possible under certain circumstances. You can learn more about it in this guide here.

Let us draw your attention to the fact that cybersecurity experts as well as FBI advise against ransom payments. First of all, paying doesn’t guarantee data recovery – it is the most important argument. Second, paying means funding further illegal operations and helping criminals to employ more people. Third reason is that criminals already make millions from extorting computer users yearly, which lures even non-skilled people to join these operations. Finally, we do not recommend paying the ransom because this ransomware also compromises your computer with AZORULT or VIDAR Trojan, malware that is capable of stealing various private details that can be used to blackmail and extort you further.

If you have unfortunately fallen victim to a ransomware attack, removing the threats from your computer is a matter of an utmost importance. When it comes to severe threats like this, our experts recommend booting the system in Safe Mode with Networking as explained in the guide below. To remove RIGJ ransomware virus securely, make use of a robust antivirus software of your choice. Our team of experts recommend using one with excellent malware detection rate and real-time protection, for instance, . As an additional measure, you may want to download to repair virus damage to Windows OS files.

Ransomware Summary

Name	RIGJ Ransomware Virus
Type	Ransomware; Crypto-malware; Virtual Extortion Virus
Family	STOP/DJVU
Encryption type	RSA 2048 + Salsa20
Previous versions	VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here)
Version	352nd
Extension	.rigj
Cybercriminal emails	manager@mailtemp.ch, helprestoremanager@airmail.cc
Additional malware dropped	Azorult or Vidar Trojan
Damage	The ransomware compromises the target Windows system disguised as a software crack and then proceeds to encrypt all personal files stored on the computer and connected drives. The virus also marks each file with additional .rigj extension. Next, it drops _readme.txt ransom note in every affected data folder. The virus also deletes Volume Shadow Copies to block access to System Restore points. Next, the ransomware alters Windows HOSTS file by adding a list of websites to block on the host, thus restricting victim’s access to various computer help sites. This ransomware often infects computers with information stealers such as AZORULT Trojan or VIDAR.
Ransom note	_readme.txt
Ransom demand	$490-$980 in Bitcoin
Distribution	Victims often download this ransomware along illegal torrent downloads, cracked software, activators, key generators or tools like KMSPico.
Known software cracks to contain this malware	Corel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, Internet Download Manager, Tally, League of Legends.
Detection names	Trojan:Win32/Krypter.AA!MTB (Microsoft), Gen:Variant.Fragtor.36858 (B) (Emsisoft), UDS:Trojan.Win32.Scarsi.gen (Kaspersky), Gen:Variant.Fragtor.36858 (BitDefender), MachineLearning/Anomalous.95% (Malwarebytes), Packed.Generic.528 (Symantec) see all detection name variations on VirusTotal
Removal	Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO.

REMOVE MALWARE & REPAIR VIRUS DAMAGE

Ransomware distribution scheme explained

Ransomware-type viruses are distributed either as malicious email attachments, hidden in illegal downloads (mostly torrents), fake software updates, with the help of exploit kits or compromised ad networks. In the vast majority of cases, ransomware threats designed to infect home computer users use rather primitive and only rely on malicious torrents and email spam. We will discuss these methods used to infect computers with crypto-viruses and explain how to avoid getting infected in the future.

One of the most common places to find malicious downloads that may carry ransomware infections is online torrent libraries. People often visit these websites when searching for popular software or game cracks, hoping to install and activate premium versions for free. Often times, such computer users go as far as downloading cracks from several websites and launching both just to see which one works – moreover, they tend to ignore their antivirus warnings if any arise. There is a popular misconception that all software cracks get marked as malicious by antivirus although they’re not. Believe us when we say it is better to stay on the safe side and avoid opening a file if it gets marked as dangerous.

Victim’s of previous STOP/DJVU ransomware versions report getting infected after opening torrents supposed to provide full versions of these software and games:

• Adobe Photoshop;
• Adobe Illustrator;
• Corel Draw;
• Cubase;
• Opera Browser;
• Tenorshare 4ukey;
• Fifa20;
• AutoCad;
• League of Legends;
• KMSPico;
• Internet Download Manager;
• VMWare Workstation.

Remember that this isn’t a complete list and attempts to download any software illegally can land you a ransomware infection instantly. Moreover, trying to access pirated software version is simply an act of copyright infringement. Let us remind you that this whole process of finding a functional pirated copy of software and risks associated with it are simply not worth it because a legitimate software license rarely costs more than insane amounts of money demanded by cybercriminals and other damage they may inflict after stealing your private data. For this reason, we suggest that you support software developers and get secure copy of computer programs.

Aside from this methodology, cybercriminals also try to attack potential victims via email. They compose emails and attach files to them, then distribute these messages to thousands of users. Often times, offenders pretend to be someone the victim knows, for example, an international company, a boss, colleague, local law enforcement agent or similar. The email often suggests viewing attached contents and replying to the sender as quickly as possible.

One detail that is similar in all of these malicious emails is that you can sense the sender’s urgent tone. Another thing to look out for is unfamiliar greeting line. Moreover, you should not let the sender’s email address convince you because nowadays cybercriminals often make use of email spoofing techniques. Our general advice is to ask yourself whether you were waiting for an email of such kind at all. Do not let your curiosity trick you into opening something that you shouldn’t.

In certain scenarios, cybercriminals compromise legitimate ad networks and inject malicious script into them. This results in malicious ads being displayed for regular computer users when they visit websites serving ads from that particular ad network. If they happen to click on the advertisement, they get redirected to malicious domains instantly or get a file downloaded to their computers.

Last but not least, we’d like to mention deceptive STOP/DJVU decryption tools advertised by cybercriminals from other ransomware gangs. Be careful when searching for a solution online because one might simply not exist yet as explained here. To illustrate, ZORAB ransomware operators are spreading fake STOP/DJVU decryption tools claiming they are capable of decrypting files encrypted with online key. Once the potential victim opens such “decryption tool”, their files get double encrypted.

More details about the ransomware operation

If you’re looking to get more details on how this ransomware operates, this section is for you.

RIGJ ransomware virus binary begins the attack by downloading build.exe, build2.exe and build3.exe executables from its server. The virus then takes a screenshot of victim’s desktop and sends it to its Command&Control server along with other information collected about the computer. The virus sends a GET request to https[:]//api.2ip.ua/geo.json to extract information about victim’s computer’s geolocation. The response from the domain is then saved to geo[1].json file as depicted below. The following file contains victim’s country code, zip code, longitude and latitude information and more.

Additionally, the virus collects data about victim’s computer hardware, active processes and installed software, saves it to information.txt file and sends it to its Command&Control server.

The virus then compares the extracted country code to its own list of exception countries and in case a match is found, the ransomware terminates itself. The following list of countries are exempted from encryption procedure:

Russian Federation, Uzbekistan, Kyrgyzstan, Armenia, Syria, Tajikistan, Belarus and Kazachstan.

If the ransomware finds out that the computer can be attacked, it then gets a unique encryption key from its C2 server. If this operation fails due to connectivity error, the malware uses a hardcoded key, also known as the offline encryption key instead. An indicator of this encryption type is t1 symbols at the end of personal ID in file C:\SystemID\PersonalID.txt. Offline encryption is a better thing for the victim since it gives hope to decrypt .rigj files in the future (see more information here).

If your personal ID ends in different set of characters, it means that online encryption was used. The virus also writes both the encryption key and unique ID to bowsakkdestx.txt file as well as shown in the image below.

Once the ransomware prepares for the actual encryption procedure, it then begins scanning every data folder and using Salsa20+RSA-2048 encryption type on the files. During the encryption phase, the ransomware also marks each file with .rigj extension and leaves _readme.txt notes behind. You can see a screenshot of compromised data folder down below.

Check the contents of _readme.txt note as shown in the image below.

Next thing done by this virus is elimination of Volume Shadow Copies. The malware achieves it by running the following command via CMD prompt: vssadmin.exe Delete Shadows /All /Quiet.

Some variants of STOP/DJVU also have a tendency to modify Windows HOSTS file by adding a domain list to it. The virus connects these domains to a localhost IP only to cause a DNS resolution error for the victim. In such case, the victim might notice DNS_PROBE_FINISHED_NXDOMAIN error in Google Chrome or another browser.

The discussed ransomware also drags information-stealing Trojans to the system. Some of the Trojans seen in these attacks are called AZORULT or VIDAR and are capable of stealing Skype chat history, browser history, login credentials for application accounts, browser-saved passwords, banking details and other sensitive data.

Remove RIGJ Ransomware Virus and Decrypt Your Files

If your computer was infected with malware and now all of your files are encrypted, do not hesitate and take the situation in your own hands. You should remove RIGJ ransomware virus as soon as possible, and what you need to do is to ensure that you have a robust antivirus software for this task (for example, , then run your PC in Safe Mode with Networking as explained below and set your antivirus to run a system scan (full). Afterward, you may want to download and scan with to repair virus damage on Windows OS files.

Now that RIGJ virus removal is done, ensure that you let your local law enforcement agency know about the incident and change all of your passwords associated with the compromised computer as soon as you can. Moreover, check if you have data backups and ensure you use them only after removing the virus from the system completely. For additional help in repairing or decrypting files locked by STOP/DJVU, see this tutorial.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.