RCRU64 Ransomware ([ID=id random 6-Mail=email].random 4) Support Topic

Any files that are encrypted with RCRU64 Ransomware V3 will have an [ID=id random 6-Mail=email].random 4 character extension appended to the end of the encrypted data filename and leave files (ransom notes) named Restore_Your_Files.txt, ReadMe.hta, Read_Me!_.txt, ReadMe_Now!.hta as explained here by Amigo-A (Andrew Ivanov). These are some examples.

[ID=rfeHv0-Mail=FilesRecoverEN@Gmail.com].03rK
[ID=qMIo8p-Mail=kamira99@tutanota.com].9C8L
[ID=Nc6GC2-Mail=psychopath7@tutanota.com].q6BH
[ID=snnCCB-Mail=Sc0rpio@mailfence.com].7v3t
[ID=y6Cllb-Mail=FreedomTeam@mail.ee].0wqA

Your ID: AfdoLo
Your Personal ID : rfehvo
Your unique ID: zlkJu2

_[ID-GRHYT_Mail-jounypaulo@mail.ee].HHE
_[ID-LQIWB_Mail-pm24@tuta.io].LRO
_[ID-RRF0H_Mail-dr.file2022@gmail.com].M4X
_[ID-L1LXB_Mail-vyptteam@zohomail.eu].Vypt
_[ID-DXNVI_Mail-Sc.computer1992@Gmail.com].L7I
_[ID-BVPKO_Mail-insomnia1441@gmail.com].MMV

RCRU64 V4 typically will include a random 5 uppercase character "ID" in the ransom note.

Your ID : YUNFY
Your ID : WEKNZ
Your ID : L1LXB

rivitna (Andrey Zhdanov) may be able to help some victims if they have an RSA private key.
 
 
Please i need your support to decrypt my files, i found all its encrypted with the below extension
 
ID=tC3C3O-Mail=Rcru64@cock.lu].oKby
 
Thank you in advanced.

ID=tC3C3O-Mail=Rcru64@cock.lu].oKby

 

Probably, this extension [ID=tC3C3O-Mail=Rcru64@cock.lu].oKby 

This is RCRU64 Ransomware

Edited by Amigo-A, 17 April 2022 - 05:49 AM.

 

ID=tC3C3O-Mail=Rcru64@cock.lu].oKby

 

Probably, this extension [ID=tC3C3O-Mail=Rcru64@cock.lu].oKby 

 

This is RCRU64 Ransomware

 

Hello Amigo,

Please i checked the website but unfortunately i didn't found the decrypt for ransomware.

That means there is no free decryptor and no way to decrypt files without paying the ransom and obtaining the private encryption keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the criminal's master private key that can be used to decrypt your files, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way (i.e. RSA, AES, Salsa20, ChaCha20, ECDH, ECC) that cannot be brute-forced.

Topic title changed to reflect naming convention and direct other victims to this support topic.

Hello Amigo,

 

Please i checked the website but unfortunately i didn't found the decrypt for ransomware.

 

Yes, I did not have time to complete the answer. This is the only description of this ransomware.

There is no way to decrypt files without paying a ransom. But extortionists has been using this variant for more than a year.

It is recommended to save the most important files to an external drive and disconnect from the computer. A ransom-free decryptor may be available in the future. We hope.

Edited by Amigo-A, 17 April 2022 - 01:26 PM.

Did you find any ransom notes? If so, what is the actual name of the ransom note?
Can you provide (copy & paste) the ransom note contents in your next reply?
 
Also, please attach the original ransom note and several samples of encrypted files (different formats - doc, png, jpg) AND its original (unencrypted) file for comparison so Amigo-A (Andrew Ivanov) can inspect them and possibly confirm the infection (and/or add to his database).

Hello quietman7, thank you for your response.

Here is the ransom note: 

Name: Read_Me!_.txt

Note:

All Your Files Encrypted And Sensitive Data Downloaded (Financial Documents,Contracts,Invoices etc.. ).

Edited by arimarjul, 04 December 2022 - 03:03 PM.

Hello, after my first post, one user contact me in prívate and give me a whatsapp contact of a person that can decrypt my files.

I wrote to him and after mail him a crypt file they send me a screen capture with the same file decrypted.

He offer to send me the decrypt tool if I send him 0.065 bitcoin.

Dou you know if this kind of offer is legit? Or is the same hacker that create the ransomware and also could be a member of this forum?

Edited by arimarjul, 05 December 2022 - 12:27 PM.

What was the name of the member who reached out?
 
Bleeping Computer cannot vouch for those who claim they can decrypt data or help in other ways. 
 
Ransomware victims should IGNORE, (not reply back, deal with or negotiate payments with) anyone who may contact them via Private Message (PM) on this forum or by email making claims they can decrypt your data. Please read my comments in this topic for information as to what we know about those who claim they can decrypt data (including scammers, the criminals and data recovery services).

It looks more like RCRU64 Ransomware, unless others copy it.

Then they probably switched from random 4 digit extension to 5 digits or just started to used 5 digits.